Macromedia warns of second Flash bug
- 18 November, 2005 08:05
Macromedia has warned of flaws in several of its server products that could leave enterprises vulnerable to attacks. The incident is the second time in two weeks that Macromedia has issued patches.
This time the flaws are on the server side, rather than in Macromedia's widely used Flash Player software. The bugs leave Flash Communication Server MX, Breeze Communication Server, Breeze Live Server and Contribute Publishing Server (CPS) vulnerable to crashes or information disclosure, Macromedia said.
Macromedia said that Flash Communication Server MX versions 1.0 and 1.5 don't properly validate some RTMP data sent by Flash Player, which can allow users to crash the server.
Macromedia discovered the bug could be triggered by an alpha build of Flash Player 8.5. The company labelled the bug "important" and said users should patch.
Breeze Communication Server and Breeze Live Server are vulnerable to exactly the same vulnerability, Macromedia said.
The company also said users should update Contribute Publishing Server to the latest version, 1.11, to fix weak user password encryption in connection keys using shared FTP login credentials. The new version uses a more secure encryption algorithm, Macromedia said.
Patching instructions are included in the advisories on Macromedia's site.
Two weeks ago Macromedia warned of a critical bug in Flash Player that exposed millions of systems to serious attacks. eEye, the security research firm co-credited with discovering the bug, said it had demonstrated "reliable exploitation" using the bug in the Internet Explorer browser, but other browsers are also said to be just as open to attack.