News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Shockwave flaw fixed

In other news, McAfee employee data goes missing and an IT exec gets eight years in prison for data theft.

Macromedia Shockwave flaw fixed
Adobe Systems Inc. has fixed a critical flaw attackers could exploit in its Macromedia Shockwave Player to launch malicious code.

Macromedia Shockwave is a multi-platform multimedia playback application that allows users to view interactive Web content from their browser. The San Jose, Calif.-based vendor said in an advisory that the flaw resides in the player's ActiveX installer.

"During the installation process, malicious code on a Web site with Shockwave content could have taken advantage of a buffer overflow to allow the execution of arbitrary code," Adobe said. "For an attacker to exploit the vulnerability, users would have been directed to a page including malicious code that prompted the user to install Shockwave Player."

Adobe said the ActiveX installer problem has been fixed. "Since the vulnerability occurs in the installer, no action needs to be taken by [Adobe customers]," Adobe said. "Customers downloading and installing the latest Shockwave Player are also no longer vulnerable with the updated Shockwave Player ActiveX installer."

As an extra precaution, Danish vulnerability clearinghouse Secunia said, users should only install ShockWave Player directly from the vendor's Web site.

McAfee employee data goes missing
Santa Clara, Calif.-based AV vendor McAfee Inc. said a CD with data on thousands of current and former employees has gone missing. Auditing firm Deloitte & Touche USA LLP lost the CD Dec. 15. McAfee was first notified Jan. 11 and on Jan. 30 it received more detailed information on the lost data, McAfee spokeswoman Siobhan MacDermott told CNET

The disc housed personal data on all current U.S. and Canadian McAfee workers hired before April 2005 and on about 6,000 former employees in the same region, MacDermott said. CNET noted that the company has about 3,290 employees worldwide today. The data was not encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.

"We notified our current and former employees last week and the week before," MacDermott said. "We have no reason to believe that any of the information has been accessed, and we are proactively protecting McAfee current and former employees with credit-monitoring services."

Deloitte & Touche confirmed the data loss incident to CNET, saying, "A Deloitte & Touche employee left an unlabelled backup CD in an airline seat pocket. We are not aware of any unauthorized access to this data in the two months since the CD was lost."

McAfee has arranged for past and present U.S. employees to receive free services for up to two years from credit reporting agency Equifax. Similar arrangements are being made with a credit monitoring provider for Canadian employees.

IT exec gets eight years for data theft
The former principal owner of e-mail marketing firm Snipermail Inc. is headed to jail for the next eight years, after being convicted of data theft. Scott Levine was sentenced Thursday to eight years in prison on charges related to the theft of more than 1 billion data records, the U.S. Department of Justice (DOJ) said. The IDG News Service reported that Levine, 46, of Boca Raton, Fla., was convicted last August on 120 counts of unauthorized access of a protected computer, two counts of device fraud and one count of obstruction of justice.

Between January and July 2003, the report said, Levine stole more than 1 billion records that included names, physical and e-mail addresses and phone numbers. The data belonged to Acxiom Corp., a firm that maintains a repository of personal, financial and company data, including customer information held for other companies, the news service reported.

The DOJ said Levine used sophisticated decryption software to illegally obtain passwords and exceed his authorized access to Acxiom databases. So far, there is no indication that data stolen by Levine or others has been used in identity theft or credit card fraud schemes, the DOJ said. The news service reported that some of the data was resold to a broker for use in an advertising campaign.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.