The vulnerability is in the code of Flash.ocx, the component responsible for playing back Flash content files, a security firm said.
Macromedia's Flash has a critical bug that leaves all browser users armed with the popular media player open to attack, a security firm announced late Friday.
The vulnerability, said eEye Digital Security, the Aliso Viejo-Calif.-based company that discovered the flaw, is in the code of Flash.ocx, the component responsible for playing back .swf files (Flash content files). An attacker who manages to entice a user to a malicious Web site with a malformed Flash file could grab control of the PC, said eEye, if that user was running Windows with Administrator rights.
"We've assigned it our "High' rating, which means the vulnerability allows for code execution," said Steve Manzuik, the research team lead at eEye. "There's one caveat: it happens in the context of a logged-in user. But with the number of people running, say, Windows XP Home as an Administrator, that's still dangerous."
Other security firms have given the bug a similarly high ranking. Secunia, a Danish vulnerability tracker, listed the Flash flaw as "Highly critical," just one step from the top of its rating system. Macromedia itself acknowledged it as a "critical" bug in its own security advisory.
Macromedia has patched the vulnerability, which exists in Flash 6 and 7 for Windows, and has posted an updated edition -- version 22.214.171.124 -- which corrects the problem. (Windows 95 or NT users can't install Flash 8, so Macromedia has posted a separate fix for them, dubbed "126.96.36.199.")
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.