“When it’s just not your day…”
On the day a jury returned a verdict in favor of rival Adobe in a critical
patent infringement suit, Macromedia, Inc
learned that a
bug in a version of its Flash player was a security risk to IE users.
According to an advisory from eEye Digital Security, a previous version of Macromedia’s Flash
player contains a vulnerability in the parameter handling to the Flash OCX,
which could lead to the execution of attacker supplied code via email, web
or any other avenue in which IE is used to display html that an attacker can
Although the bug is quashed in the latest version of the Flash player, eEye
has warned that an untold number of IE users are unknowingly running the
older version of the Flash software and “potentially could still be used in
an exploit scenario.”
The Aliso Viejo, Calif.-based eEye, which conducts network security research
and education, said the vulnerability is particularly suspect to software,
which uses the activex web browser.
“All users of Internet Explorer are potentially affected because this is a
Macromedia signed ocx,” eEye said, urging IE users to upgrade to the Version 6 of the Flash player.
The Flash.ocx, an activex object installed with Internet Explorer, is used
to display flash objects on the Web. eEye says proper bounds checking is
not in place in the “movie” parameter which overwrites EIP at an unsaid, but
fixed number of bytes across Windows platforms.
“Because the ocx is signed by Macromedia: there is a chance the older
activex could be used against people without flash; people whom have an
older version of flash not affected may be forced to “upgrade” to the
affected version; and, of course, those with the affected versions need to
upgrade lest the exploit works out of the box on them,” eEye added.
In general, eEye said the codebase parameter can be used to point to an
affected version of the activex, causing the system to first try and grab
the activex from Microsoft’s activex store on the web. Then, it will try the
activex specified in the codebase tag by the malicious user.
“We do not believe this method is foolproof because of the potential of the
activex storehouse check failing and because of the potentiality for the
activex to be called by other methods,” the company added.
The vulnerability warning comes as a double-whammy for Macromedia at a time
when the company is basking in the glow of the MX family
release, which combines flash with a collection of tool, server, and
client technologies within a single environment.
Flash is also at the center of the patent infringement ruling in favor of
competitor Adobe Systems, which includes a damage award of $2.8 million.
Adobe sued Macromedia in August 2000, alleging patent infringement on a
user-interface patent called “tabbed palettes” which is patented by Adobe.
Macromedia, which added the technique to its Flash multimedia-authoring
program, has countersued and plans to appeal the latest ruling.
“It is unfortunate, and we believe wrong, that Adobe has chosen this field
to compete. Ultimately, it is our customers, and particularly our mutual
customers, that will be harmed,” said Macromedia CEO Rob Burgess. “We have
no choice but to protect our right to innovate and must defend ourselves on
this playing ground.”
Macromedia said it expects no material impact from this judgment on its
financial condition or market leadership.