Macromedia Flash Player Might Expose Cookies

Reported April 13, 2003, by Scan Security Wire

VERSIONS AFFECTED

Macromedia Flash Player

DESCRIPTION

Aproblem with Macromedia Flash Player's advertisement-tracking feature can exposeuser cookies. The clickTAG parameter that Flash Player supports lets HTML pagesdefine the click-through destination URL for a related advertisement. Amalicious user can use the clickTAG parameter to insert scripting code thatmight execute if the Flash advertisement doesn't validate URLs before passingthem to the "ActionScript getURL" function.

VENDOR RESPONSE

Macromediaissued a statement ofclarification for implementers of Flash advertisements: "A new playerversion is not required. Macromedia Flash advertisements that accept clickTAGsneed to validate that the clickTAG URL begins with 'http:'. This helps ensurethe clickTAG does not contain malicious code."

CREDIT          

Discoveredby Scan Security Wire.

Reported April 13, 2003, by Scan Security Wire

VERSIONS AFFECTED

Macromedia Flash Player

DESCRIPTION

Aproblem with Macromedia Flash Player's advertisement-tracking feature can exposeuser cookies. The clickTAG parameter that Flash Player supports lets HTML pagesdefine the click-through destination URL for a related advertisement. Amalicious user can use the clickTAG parameter to insert scripting code thatmight execute if the Flash advertisement doesn't validate URLs before passingthem to the "ActionScript getURL" function.

VENDOR RESPONSE

Macromediaissued a statement ofclarification for implementers of Flash advertisements: "A new playerversion is not required. Macromedia Flash advertisements that accept clickTAGsneed to validate that the clickTAG URL begins with 'http:'. This helps ensurethe clickTAG does not contain malicious code."

CREDIT          

Discoveredby Scan Security Wire.