TechSmith

Language: English Deutsch Français 한국어 日本語

SnagIt Camtasia Studio Camtasia Relay Screencast.com Morae UserVue Video Codecs Developer Tools

Free Trials Jing Project Video Codecs Accessories and Tools

Lost Software Key Learning Center Support Center

Visual Lounge Blog Newsletters User-to-User Forums Educator Resources Calendar of Events Presentation Materials

About TechSmith Career Opportunities Press Room Contact Us Partner Resources

Online Store Volume Discounts Education Pricing Gov/Non-Profit Pricing Contact Sales Resellers

TechSmith Security Bulletin

What is a Security Bulletin?

A security bulletin is a public statement published by TechSmith to announce the resolution of a security issue, including resources (for example, a patch) to help our customers protect themselves.

Security Bulletin 1: Cross-site Scripting in Flash SWF Files

Date Issued:	April 15th, 2008
Affected Software and Components:	Camtasia Studio v1, v2, v3, v4, and v5 Flash content, except ExpressShow SWF content, the default in v5, which does not accept external input variables. Camtasia Studio v5.1 resolves this issue and is not affected by the vulnerability.
Vulnerability Description:	If Flash content (for example, SWF files) is created by the above affected software and is embedded in a website, then the website hosting the Flash content may be vulnerable to cross-site scripting attacks. An attacker can submit malicious data to the vulnerable Flash content in order to perform a cross-site scripting attack: when the vulenerable Flash content is viewed by a website visitor, the visitor's Flash player may take insecure, potentially harmful actions. These actions include modification of website content or sending website information such as cookies to the attacker.
Workarounds or Mitigations:	Customers concerned about creating secure Flash content should upgrade to Camtasia Studio v5.1. Customers concerned about viewing Flash content can upgrade their Flash player. Adobe reports that they have addressed the vulnerability with an update to Flash Player (v9.0.115.0), as explained at the following link: Adobe Security Bulletin
FAQs:	Are any other TechSmith products or services vulnerable? No. SWF files created by the TechSmith Jing application (www.jingproject.com) are not affected by this vulnerability, since there is no user-controlled input passed to the SWF file. All Camtasia Studio SWF files hosted by TechSmith’s Screencast.com media hosting site, created using any version of Camtasia Studio with any production options, are not affected by this vulnerability. Input parameters passed to the SWF files hosted on Screencast.com are provided by the Screencast.com service, which mitigates this vulnerability. All other TechSmith products do not produce or use SWF files.
Related Advisories:	Security Advisory 1: Cross-site Scripting in Flash SWF Files
Acknowledgements:	TechSmith would like to thank Rich Cannings of the Google Security Team for reporting this issue to us.
Revisions:	This bulletin was first issued on 4/15/08.

Security Center

Security Center Home Security Advisories Security Bulletins

TechSmith Privacy Policy Online Store Order Security

3,105 Users Online

About TechSmith | Site Map | Privacy Policy | Security Center | Site Feedback | Accessibility [0]

© 1995-2008, TechSmith Corporation, All Rights Reserved