Security hole in Adobe's Flash Basic, Professional and CS3
Adobe has confirmed a security hole in Flash Basic, Professional and Creative Suite 3 Professional through which malicious code can be infiltrated using manipulated .fla files. .fla files contain the source text for Flash animations.
Neither Fortinet, which discovered the hole, nor Adobe itself, is releasing technical details. A hacker named cocoruder has however explained in an e-mail to the Full Disclosure mailing list that changing some addresses in a .fla file sends the Adobe software astray, enabling outside code to be called.
Adobe has confirmed the hole in Flash Basic 8, Flash Professional 8 und CS3 Professional and has announced a fix for coming versions. According to cocoruder, however, the vulnerabilities also affect Macromedia Flash MX 2004. The Mac versions of Flash Basic and Professional are apparently not susceptible. Users who download .fla files from the net should make sure they only open files from trusted sources.
See also:
- Adobe Flash CS3 Professional Multiple .FLA Parsing Vulnerabilities, security advisory from Fortinet
- Potential vulnerability in Flash CS3 Professional, Flash Professional 8 and Flash Basic 8, error message from Adobe
- Adobe Flash CS3 Professional FLA File Parsing Multiple Local Code Execute Vulnerabilities, vulnerability report by cocoruder at Full Disclosure
(mba)