* via http://techPolice.com Possible Widespread Software Security Hole Found Thursday, January 4, 2001 By Michael Della Bitta NEW YORK — An independent computer expert says he has found a gaping security hole in widely used Internet software that could give hackers the ability to easily access users' computers. The security issue is with the Macromedia Flash Player plug-in, a piece of software that allows users to view Web pages with animated multimedia content. The majority of personal computers connected to the Internet are at risk, since most Web browsers come with the plug-in preinstalled. Macromedia's Web site claims that 96 percent of Internet users have the Flash software in question. Neal Krawetz, the computer expert who claims to have found the problem, posted his findings to an Internet mailing list called Bugtraq last Friday. Bugtraq list members discuss problems and vulnerabilities in computer software. "It's an easy way for someone to be able to run a program on your computer. That's kind of the ultimate goal for an attacker," according to Ryan Russell. Russell is MIS manager at Securityfocus.com, the site that runs Bugtraq. The problem with the Flash plug-in, according to Krawetz, is that it is vulnerable to something called a "buffer overrun exploit." Buffer overruns occur when a program runs into a large chunk of data that it can't handle. Most of the time, this situation would only cause the program to crash. In this case, Krawetz claims, someone can write a Flash file that contains a program that will be run when the buffer overrun occurs. That program would be capable of doing serious damage to the machine in question, Russell said. Flash files aren't ordinarily capable of doing damage to a user's machine; they can't delete files or carry a virus. "Obviously someone has found a way around that," Russell said. Macromedia declined to comment until speaking with Krawetz, who was unavailable at press time. Since Flash files are widespread on the Internet, Russell said a hacker could conceivably break into a Web site and hide a malicious Flash file on the front page. Visitors would unknowingly download the file and infect their machine, causing whatever damage the author of the Flash file intended. According to Krawetz's Bugtraq post, it would be possible to write a single Flash file that could damage computers using various operating systems. Usually, a virus is only capable of infecting one type of computer or operating system. "We haven't seen that before," Russell said. Russell downplayed the immediate urgency of the situation. "It's not super-severe right at this second, as long as people aren't taking advantage of it," he said, but then he added, "I think it's a matter of time before someone does." According to Krawetz's Bugtraq post, he initially contacted Macromedia about the problem in early July, but they only responded with a message saying they were investigating the problem. http://www.foxnews.com/scitech/010501/macromedia_hole.sml --- Sponsor's Message -------------------------------------- Who Are the Top Dogs? Find out about the best newsletters and discussions! http://click.topica.com/aaaa4qb1dhr0b1uN1Ic/TopDogs ------------------------------------------------------------ --via http://techPolice.com archive: http://theMezz.com/cybercrime/archive unsubscribe: [EMAIL PROTECTED] subscribe: [EMAIL PROTECTED] url: http://theMezz.com/alerts ____________________________________________________________ T O P I C A -- Learn More. Surf Less. Newsletters, Tips and Discussions on Topics You Choose. http://www.topica.com/partner/tag01