Flash Security Hole

← Back to Stories (view on slashdot.org)

Posted by Hemos on Monday March 10, 2003 @12:34AM from the who-needs-security dept.

otterpop378 wrote to us about a From report on CNN about a new security hole in Flash. Evidently, it's pretty big, as Macromedia wants everyone to update - sounds like the sandbox isn't quite working as it should.

18 comments

Min score:

Reason:

Sort:

If you use gentoo... by JimDabell · 2003-03-10 00:55 · Score: 2, Informative

This is already fixed in gentoo:
emerge sync; emerge -u netscape-flash
1. Re:If you use gentoo... by Anonymous Coward · 2003-03-11 09:01 · Score: 0
  
  I use links (former lynx), so I dont care...
2. Re:If you use gentoo... by Wolfrider · 2003-03-11 20:18 · Score: 1
  
  --Using Opera 6.1, www.macromedia.com shows a blank page. :(
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Nice irony... by $rtbl_this · 2003-03-10 00:57 · Score: 2, Funny

...accompanying a story about a serious security hole in Flash with a Flash-based popup advert.

--
"Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
conspiracy theorist by Anonymous Coward · 2003-03-10 01:47 · Score: 1, Insightful

The conspiracy theorist in me can't help but think this security update -- which doesn't specify anything other than a buffer overflow -- is an attempt to get people to upgrade to the latest version of Flash, which I believe is now required to properly interact with the new Macromedia.com.
1. Re:conspiracy theorist by Khalidz0r · 2003-03-10 01:59 · Score: 2, Insightful
  
  Heh, a big company wouldn't give up their reputation in security to simply get you to update, there are better ways to do that.
  
  The worst thing a company would think of doing is announcing that their software is not secure, for whatever reason.
  
  Khalid
  
  --
  "What you 'seek' is what you get!"
2. Re:conspiracy theorist by MarkGriz · 2003-03-10 02:21 · Score: 2
  
  Funny thing though... there is no mention of this huge security hole on their web page. If they were so interested in security,
  you'd think they would at least announce a "New version of Flash available - now with improved security. Click here to download"
  
  --
  Beauty is in the eye of the beerholder.
3. Re:conspiracy theorist by Dudio · 2003-03-10 03:01 · Score: 2, Interesting
  
  I didn't see anything posted to the lists (Bugtraq, Vulnwatch, Full Disclosure, etc.) about this either, until the Gentoo announcement yesterday. For an issue Macromedia calls critical, they sure are being quiet about it.
4. Re:conspiracy theorist by Anonymous Coward · 2003-03-12 01:17 · Score: 0
  
  Is that why Microsoft says that NT isn't secure and everyone should upgrade to XP (new EULA &co)
Any easy way to temporaily disable flash in IE? by Palos · 2003-03-10 03:54 · Score: 2, Insightful

This is kind of offtopic, but with a lot of sites using flash for ads that adblockers don't seem to block well, is there a way to disable it temporaily easily? I've seen some sites that show how to get rid of it, but that just brings up a popup anytime you go to a site with it. I swear 95% of the flash out there now is crap, but the other 5% is cool games I want to play :)
1. Re:Any easy way to temporaily disable flash in IE? by oyenstikker · 2003-03-10 03:57 · Score: 2, Interesting
  
  www.homestarrunner.com completely justfies flash on its own.
  
  --
  The masses are the crack whores of religion.
2. Re:Any easy way to temporaily disable flash in IE? by waylander · 2003-03-10 08:28 · Score: 1
  
  Google turned up this link on Macromedia's site: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm
  
  --
  John Kramer
  God may be my co-pilot, but the devil is my backseat driver.
Macromedia Site tells nothing by Anonymous Coward · 2003-03-10 06:42 · Score: 1, Interesting

I visited the site only to find nothing about the security hole. Crisis by denial? Download section also had nothing to tell you there was a security hole. Just one big nothing.
1. Re:Macromedia Site tells nothing by zero_offset · 2003-03-11 05:31 · Score: 1
  
  Actually I gave up searching and just guessed the URL, and it worked: http://www.macromedia.com/security
  
  --
  Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
More info by Gogo+Dodo · 2003-03-10 07:08 · Score: 4, Informative

For those looking for details on the vulnerability, see MPSB03-03 Security Patch for Macromedia Flash Player.
The short answer is that you need to upgrade to Player 6,0,79,0 (why the heck Macromedia uses commas instead of periods is beyond me).
Macromedia Flash Player RPMS by Laven · 2003-03-10 08:11 · Score: 2, Informative

http://macromedia.mplug.org
Hi, I am the maintainer of the Macromedia Flash Player RPMS for Linux. The RPM packages have been updated a few days ago, available in apt and urpmi repositories for various Linux distributions.
The site has instructions for Gentoo and Debian Linux installation too.