Search

Vulnerability Description: If Flash content (for example, SWF files) is created by the above affected software and is embedded in a website, then the website hosting the Flash content may be vulnerable to cross-site scripting attacks. An attacker can submit malicious data to the vulnerable Flash content in order to perform a cross-site scripting attack: when the vulenerable Flash content is viewed by a website visitor, the visitor's Flash player may take insecure, potentially harmful actions. These actions include modification of website content or sending website information such as cookies to the attacker.

Workarounds or Mitigations: Customers concerned about creating secure Flash content should upgrade to Camtasia Studio v5.1. Customers concerned about viewing Flash content can upgrade their Flash player. Adobe reports that they have addressed the vulnerability with an update to Flash Player (v9.0.115.0), as explained at the following link: Adobe Security Bulletin

Additional Information: No other TechSmith products or services are affected by this vulnerability. SWF files created by the TechSmith Jing application are not affected by this vulnerability, since there is no user-controlled input passed to the SWF file. All Camtasia Studio SWF files hosted by TechSmith's Screencast.com media hosting site, created using any version of Camtasia Studio with any production options, are not affected by this vulnerability. Input parameters passed to the SWF files hosted on Screencast.com are provided by the Screencast.com service, which mitigates this vulnerability. All other TechSmith products do not produce or use SWF files.

Acknowledgements: TechSmith would like to thank Rich Cannings of the Google Security Team for reporting this issue to us.