Macromedia Flash Player Might Expose Cookies

Reported April 13, 2003, by Scan Security Wire

 

 

VERSIONS AFFECTED

 

Macromedia Flash Player

 

DESCRIPTION

 

A problem with Macromedia Flash Player's advertisement-tracking feature can expose user cookies. The clickTAG parameter that Flash Player supports lets HTML pages define the click-through destination URL for a related advertisement. A malicious user can use the clickTAG parameter to insert scripting code that might execute if the Flash advertisement doesn't validate URLs before passing them to the "ActionScript getURL" function.

 

VENDOR RESPONSE

 

Macromedia issued a statement of clarification for implementers of Flash advertisements: "A new player version is not required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with 'http:'. This helps ensure the clickTAG does not contain malicious code."

 

CREDIT          

Discovered by Scan Security Wire.

Reported April 13, 2003, by Scan Security Wire

 

 

VERSIONS AFFECTED

 

Macromedia Flash Player

 

DESCRIPTION

 

A problem with Macromedia Flash Player's advertisement-tracking feature can expose user cookies. The clickTAG parameter that Flash Player supports lets HTML pages define the click-through destination URL for a related advertisement. A malicious user can use the clickTAG parameter to insert scripting code that might execute if the Flash advertisement doesn't validate URLs before passing them to the "ActionScript getURL" function.

 

VENDOR RESPONSE

 

Macromedia issued a statement of clarification for implementers of Flash advertisements: "A new player version is not required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with 'http:'. This helps ensure the clickTAG does not contain malicious code."

 

CREDIT          

Discovered by Scan Security Wire.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish