Update: Macromedia reports critical hole in Flash player

SAN FRANCISCO -- Macromedia warned Monday of what it called a critical security flaw in the latest version of its Flash animation player and advised users to install a new version that it released on the Web to fix the problem.

The security flaw affects version 6 of the Macromedia Flash Player, which was released a year ago this month and has been installed on an estimated 75 percent of personal computers worldwide, according to the company.

The vulnerability affects the integrity of the player's "sandbox," which is supposed to act as a cordoned-off area where Flash code retrieved from the Web can be run safely, without access to a user's files. The flaw could allow a malicious hacker to run native code on a user's computer, outside the sandbox, possibly without the user's knowledge, according to information on the company's Web site.

No users had reported having being affected by the problem as of Tuesday afternoon, said Paul Madar, who was recently appointed Macromedia's chief security officer. Nevertheless, the company advised users to download a new version of the player -- version 6.0.79.0 -- from its Web site immediately.

As well as fixing the latest vulnerability the new version serves as a cumulative patch, fixing other security flaws reported since the product's release, including memory buffer overflows, Macromedia said. It also offers other tweaks intended to boost performance of the product.

The latest vulnerability was reported to the company about two months ago by an independent researcher, Madar said. It took the company until now to fix the breach and to then test it across the various platforms that Flash Player runs on.

"It's not fixing the vulnerability (that takes time), it's the testing. The product is so widely distributed and you have to make sure that the fix you create doesn't break it or introduce a new security hole," he said.

The vulnerability is a difficult one to exploit, according to Madar, but he said he has a "healthy respect" for the hacker community and advised users to update to the new player right away. The security bulletin, with a link to the download site, is at http://www.macromedia.com/v1/handlers/index.cfm?ID=23821

He said it's common for the company to issue a player upgrade rather than a simple patch to fix a security hole, since the whole product is relatively small to download.

Macromedia sought to assure users of the steps it takes to make its products secure. These include hiring experts outside the company to run "penetration" tests on its products before they are released, it said.

Macromedia has issued more than 15 security patches, bulletins and notifications over the past year, according to information on its Web site. It recently implemented a ranking system akin to that used by Microsoft and other software vendors, designating vulnerabilities as critical, important, moderate and low.

"The testing program finds many issues prior to product shipment. But while we strive to improve the program, we can still miss issues," Madar wrote in a recent posting on the company's Web site. The company appreciates the work of developers and enthusiasts who uncover vulnerabilities in its shipping products and report them directly to the company, he added Tuesday.

Flash is the most popular format for creating animation for Web sites. In December 2002 the free Flash Player had been installed on 98 percent of personal computers worldwide, or close to half a billion machines, and around three quarters were running Flash Player 6, according to a survey conducted for Macromedia by research company NPD Online.