4 March 2002



Another Security Hole Found In Macromedia Flash

By Brian McWilliams, Newsbytes.
26 Feb 2002, 2:03 PM CST

A new technique for embedding malicious code in Flash files has been discovered, prompting Macromedia to patch its standalone Flash player.

Using an undocumented feature in the Flash 5 authoring tool, a Macromedia customer found it was possible to create a "Trojaned" Flash movie that, when viewed using the standalone Flash player, would place a malicious script on the viewer's computer.

An advisory and a harmless demonstration of the new flaw was posted on the Web this week by the Macromedia customer, who uses the nickname Vengy.

According to Vengy, Flash 5 supports an undocumented ActionScript command called fscommand:save that enables Flash developers to save the main timeline variables of a movie to a file.

Vengy's demo showed how the "save" command could be used to create a batch program on the hard disk of Flash standalone player users who viewed a movie containing the Trojan horse code. In the demo, the Trojan program executed when the victim rebooted his or her computer.

A Macromedia representative today said the company released an updated version of its standalone Flash player Monday, and that the "save" feature would be removed from future versions of the player.

Last month, in response to reports of the first virus designed to infect Flash files, Macromedia removed a related feature from its standalone Flash player that enabled Flash movies to execute external programs on the viewer's system.

Neither the new vulnerability nor January's SWF/LFM-926 virus affects the millions of users of Macromedia's browser-based Flash plug-in or ActiveX control. Those players do not have access to special commands, and Flash files played back through a browser are secure, according to Macromedia.

The standalone Flash player is included with Macromedia's Flash authoring system, a commercial product that is used by developers to create presentations in the popular Shockwave Flash (SWF) format.

Responding to Vengy's report on how to exploit the fscommand:save feature, Macromedia updated its standalone Flash player available for download from its site. However the company had not yet issued a technical note announcing the vulnerability. Nor was the updated player included in the Flash 5 trial available for download today.

The SWF/LFM-926 virus exploited a related ActionScript command known as fscommand:exec to propagate itself to other Flash files on the victim's PC.

In response to the discovery of the virus, in January Macromedia released an update to its standalone Flash player that causes the player to ignore the "exec" action.

For Flash authors who wished to retain the exec feature and not update their standalone Player, Macromedia also released a utility that cleared the Shockwave Flash (SWF) file type association from the Windows registry.

Shane Coursen, a virus expert and CEO of WildList Organization International, said the "save" vulnerability, like the SWF/LFM-926 virus, was "mainly academic" and unlikely to affect many people.

"Since these flaws only affect the authorware version of Flash, it's unlikely they'll be exploited in a widespread way," said Coursen.

Still, Coursen advised sites hosting Flash content to redouble their efforts to ensure the security and authenticity of their SWF files.

Vengy's advisory on the Flash "save" vulnerability is at .

Macromedia's technical note on the "exec" hole is at .

A description of the SWF/LFM-926 virus is at

Reported by Newsbytes, .

14:03 CST
Reposted 17:06 CST

© 2001 The Washington Post Company