Macromedia patches security hole in Flash software

A security vulnerability in the widely used Macromedia Inc. Flash player can allow an attacker to gain control over a user’s PC, eEye Digital Security Inc. warned Monday.

A specially formatted Flash file can cause a header overflow in the Flash software, potentially giving an attacker control over a PC, eEye said in a security advisory. Exploiting an overflow flaw generally allows attackers to load malicious code onto a victim’s system and to run that code.

To exploit the vulnerability, an attacker has to hand-edit the Flash file with a binary editor as the Flash authoring tool does not produce files that contain the vulnerability on its own, Macromedia said in a separate bulletin on its Web site.

A corrupt Flash file could be placed on a Web site or sent to a user in an HTML (Hypertext Markup Language) e-mail. The vulnerability is serious because Flash is widely used on various operating systems and because vulnerable versions of the software are delivered as part of many software packages, said eEye, based in Aliso Viejo, Calif.

Affected are all versions of the Macromedia Flash Player prior to version, which was released late last week to fix the issue, Macromedia said. All users are advised to upgrade to the new version, the San Francisco company said.

EEye in the past year has found numerous vulnerabilities in Macromedia’s Flash software. The overflow vulnerability reported Monday is similar to a bug in the Flash player discovered in August, but with variations in the modified Flash code written by the attackerer, eEye said.

For details, visit the firm’s Web site at