Microsoft Warns of Flash Vulnerability

Microsoft this week notified customers regarding vulnerabilities in Macromedia Flash, the first time the company has ever issued a security advisory for a third party product. Redmond officials say the step was taken because Flash ships with Windows XP SP1 and SP2, along with older Windows versions.

The advisory comes two days after Macromedia warned of the "critical" problem, which affects certain versions of Flash Player 7 and earlier. According to the company, the vulnerability could allow a hacker to inject code that the player would then execute, resulting in the compromising of a user's system.

The flaw was originally discovered by eEye Digital Security in June, but Macromedia waited until Flash Player 8 was ready to offer a fix. Users are instructed to upgrade to version 8, or download a patch for Flash 7 if they do not meet the system requirements for the most recent release.

Microsoft has instructed Windows users to, "follow the guidance documented in Macromedia's Security Bulletin." However, the company has offered a few of its own solutions to remedy the problem, including disabling the Flash Active X control and even uninstalling the software altogether.

"If customers are not using Macromedia Flash Player on their system, or customers do not need Macromedia Flash Player, they can disable the ActiveX control in Internet Explorer to help protect against these vulnerabilities," Microsoft says in the advisory.

Macromedia has not said why it sat on the problem for so long, but notes in its own security bulletin that, "When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate."