Macromedia Patch Trifecta Plugs Security Holes

Denial of service and system information leakage flaws are uncovered in three enterprise-facing server products.

Macromedia Inc. on Wednesday released a batch of security patches to cover a trio of flaws affecting some of its enterprise-facing server products.

The San Francisco, Calif.-based software and platform provider said the vulnerabilities could put users at risk of denial-of-service and information disclosure attacks.

Two of the flaws are rated "moderately critical" by security alerts aggregator Secunia Inc.

Affected products include the Macromedia Flash Media Server, the Macromedia Breeze Communication Server/Live Server and the Macromedia Contribute Publishing Server.

The Macromedia Flash Media Server bug affects versions 1.0 through 1.5. The company explained that the server does not sufficiently validate some RTMP data, a bug that can cause server instability or crashes.

Patches have been included in the Macromedia advisory.

A second alert was released to warn about a denial-of-service hole in the Macromedia Breeze Communication Server/Live Server, which is part of the companys Web conferencing and communications software suite.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

That flaw, also rated "moderately critical," affects Macromedia Breeze 4.x through 5.x.

Macromedia said the vulnerability is caused due to an error in validating RTMP data. This may be exploited to cause the server to become unstable or crash via specially crafted RTMP data sent from a Flash Player.

/zimages/2/28571.gifClick here to read more about a security hole in Macromedias Flash Player.

The third vulnerability, in the Macromedia Contribute Publishing Server, can allow malicious hackers to hijack sensitive information.

Macromedia said the issue is caused due to a weak encryption algorithm being used to encrypt user password in connection keys that use shared FTP login credentials.

The flaw affects versions prior to 1.11.

The trifecta of patches come on the heels of a critical Flash Player update that could be exploited to hijack millions of computers.

The flaw was flagged in Macromedia Flash Player and earlier versions.

According to eEye Digital Security, the private research firm that reported the issue to Macromedia, the vulnerability opens the door for a malicious hacker to run arbitrary code in the context of the logged-in user.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.