Security researchers have discovered a vulnerability in Macromedia's Flash Player that creates a mechanism for hackers to attack the PCs of users running the popular application. The security bug - described as critical - affect Macromedia Flash Player 6.x and 7.x. Macromedia has issued security updates.
The flaw stems from a failure to reject malformed SWF files as invalid. This bug might be exploited by using specially crafted (malformed) SWF file to execute arbitrary code on the machines of users induced into visiting sites under the control of hackers.
Flash Player version 22.214.171.124 and prior on the Windows platform, and in versions prior to 126.96.36.199 on Unix, are reportedly vulnerable. Users are advised to upgrade to Flash Player 8 (188.8.131.52) or apply a Flash Player 7 update (184.108.40.206 or 220.127.116.11) in order to guard against possible attack. An advisory from Macromedia explaining the security glitch can be found here. The bug was independently discovered by Fang Xing of eEye Digital Security (advisory here) and Bernhard Mueller of SEC Consult (advisory here). ®