Macromedia's Flash has a critical bug that leaves all browser users armed with the popular media player open to attack, a security firm announced late Friday.
The vulnerability, said eEye Digital Security, the Aliso Viejo-Calif.-based company that discovered the flaw, is in the code of Flash.ocx, the component responsible for playing back .swf files (Flash content files). An attacker who manages to entice a user to a malicious Web site with a malformed Flash file could grab control of the PC, said eEye, if that user was running Windows with Administrator rights.
"We've assigned it our "High' rating, which means the vulnerability allows for code execution," said Steve Manzuik, the research team lead at eEye. "There's one caveat: it happens in the context of a logged-in user. But with the number of people running, say, Windows XP Home as an Administrator, that's still dangerous."
Other security firms have given the bug a similarly high ranking. Secunia, a Danish vulnerability tracker, listed the Flash flaw as "Highly critical," just one step from the top of its rating system. Macromedia itself acknowledged it as a "critical" bug in its own security advisory.
Macromedia has patched the vulnerability, which exists in Flash 6 and 7 for Windows, and has posted an updated edition -- version 188.8.131.52 -- which corrects the problem. (Windows 95 or NT users can't install Flash 8, so Macromedia has posted a separate fix for them, dubbed "184.108.40.206.")