A specially formatted Flash file can cause a header overflow in the Flash software, potentially giving an attacker control over a PC, eEye said in a security advisory. Exploiting an overflow flaw generally allows attackers to load malicious code onto a victim's system and to run that code.
To exploit the vulnerability, an attacker has to hand-edit the Flash file with a binary editor, as the Flash authoring tool does not produce files that contain the vulnerability on its own, Macromedia said in a separate bulletin on its Web site at www.macromedia.com/v1/handlers/index.cfm?ID=23569
A corrupt Flash file could be placed on a Web site or sent to a user in an HTML e-mail. The vulnerability is serious because Flash is widely used on various operating systems and because vulnerable versions of the software are delivered as part of many software packages, said eEye.
All versions of the Macromedia Flash Player are affected before version 22.214.171.124, which was released late last week to fix the issue, Macromedia said. All users are advised to upgrade to the new version, the San Francisco company said.
The eEye advisory is at www.eeye.com/html/Research/Advisories/AD20021216.html