RealTime IT News

Double Whammy Hits Macromedia

"When it's just not your day..."

On the day a jury returned a verdict in favor of rival Adobe in a critical patent infringement suit, Macromedia, Inc learned that a bug in a version of its Flash player was a security risk to IE users.

According to an advisory from eEye Digital Security, a previous version of Macromedia's Flash player contains a vulnerability in the parameter handling to the Flash OCX, which could lead to the execution of attacker supplied code via email, web or any other avenue in which IE is used to display html that an attacker can supply.

Although the bug is quashed in the latest version of the Flash player, eEye has warned that an untold number of IE users are unknowingly running the older version of the Flash software and "potentially could still be used in an exploit scenario."

The Aliso Viejo, Calif.-based eEye, which conducts network security research and education, said the vulnerability is particularly suspect to software, which uses the activex web browser.

"All users of Internet Explorer are potentially affected because this is a Macromedia signed ocx," eEye said, urging IE users to upgrade to the Version 6 of the Flash player.

The Flash.ocx, an activex object installed with Internet Explorer, is used to display flash objects on the Web. eEye says proper bounds checking is not in place in the "movie" parameter which overwrites EIP at an unsaid, but fixed number of bytes across Windows platforms.

"Because the ocx is signed by Macromedia: there is a chance the older activex could be used against people without flash; people whom have an older version of flash not affected may be forced to "upgrade" to the affected version; and, of course, those with the affected versions need to upgrade lest the exploit works out of the box on them," eEye added.

In general, eEye said the codebase parameter can be used to point to an affected version of the activex, causing the system to first try and grab the activex from Microsoft's activex store on the web. Then, it will try the activex specified in the codebase tag by the malicious user.

"We do not believe this method is foolproof because of the potential of the activex storehouse check failing and because of the potentiality for the activex to be called by other methods," the company added.

The vulnerability warning comes as a double-whammy for Macromedia at a time when the company is basking in the glow of the MX family release, which combines flash with a collection of tool, server, and client technologies within a single environment.

Flash is also at the center of the patent infringement ruling in favor of competitor Adobe Systems, which includes a damage award of $2.8 million.

Adobe sued Macromedia in August 2000, alleging patent infringement on a user-interface patent called "tabbed palettes" which is patented by Adobe. Macromedia, which added the technique to its Flash multimedia-authoring program, has countersued and plans to appeal the latest ruling.

"It is unfortunate, and we believe wrong, that Adobe has chosen this field to compete. Ultimately, it is our customers, and particularly our mutual customers, that will be harmed," said Macromedia CEO Rob Burgess. "We have no choice but to protect our right to innovate and must defend ourselves on this playing ground."

Macromedia said it expects no material impact from this judgment on its financial condition or market leadership.