TechSmith Language: English Deutsch Français 한국어 日本語
SnagItCamtasia StudioCamtasia RelayScreencast.comMoraeUserVueVideo CodecsDeveloper Tools
Free TrialsJing ProjectVideo CodecsAccessories and Tools
Lost Software KeyLearning CenterSupport Center
Visual Lounge BlogNewslettersUser-to-User ForumsEducator ResourcesCalendar of EventsPresentation Materials
About TechSmithCareer OpportunitiesPress RoomContact UsPartner Resources
Online StoreVolume DiscountsEducation PricingGov/Non-Profit PricingContact SalesResellers

TechSmith Security Advisory

Home /

What is a Security Advisory?

A security advisory is a public statement published by TechSmith to advise our customers about a security issue that we are currently working to resolve. An advisory includes recommendations to our customers about how to work around or mitigate the security issue while a fix is being developed. Once the security issue has been resolved by an update, patch, or other fix, the security advisory will be closed and a security bulletin will be issued.

Security Advisory 1: Cross-site Scripting in Flash SWF Files

Date Issued:

February 27th, 2008

Advisory Status:

Closed (by Security Bulletin 1)

Affected Software and Components:

Camtasia Studio v1, v2, v3, v4, and v5 Flash content, except ExpressShow SWF content, the default in v5, which does not accept external input variables.

Vulnerability Description:

If Flash content (for example, SWF files) is created by the above affected software and is embedded in a website, then the website hosting the Flash content may be vulnerable to cross-site scripting attacks. An attacker can submit malicious data to the vulnerable Flash content in order to perform a cross-site scripting attack: when the vulenerable Flash content is viewed by a website visitor, the visitor's Flash player may take insecure, potentially harmful actions. These actions include modification of website content or sending website information such as cookies to the attacker.

Workarounds
or Mitigations:

Customers concerned about viewing Flash content can upgrade their Flash player. Adobe reports that they have addressed the vulnerability with the latest Flash Player (9.0.115.0), as explained at the following link: Adobe Security Bulletin

FAQs:

Are any other TechSmith products or services vulnerable?

No. SWF files created by the TechSmith Jing application (www.jingproject.com) are not affected by this vulnerability, since there is no user-controlled input passed to the SWF file. All Camtasia Studio SWF files hosted by TechSmith’s Screencast.com media hosting site, created using any version of Camtasia Studio with any production options, are not affected by this vulnerability. Input parameters passed to the SWF files hosted on Screencast.com are provided by the Screencast.com service, which mitigates this vulnerability. All other TechSmith products do not produce or use SWF files.

Wasn’t this an old vulnerability?

Yes, this vulnerability was originally reported in December of 2007 (See CERT Vulnerability Note VU#249337 https://www.kb.cert.org/vuls/id/249337.) This security advisory is being issued as part of the new Security Center at www.techsmith.com. In the future, any security advisories and bulletins will appear here.

Acknowledgements:

TechSmith would like to thank Rich Cannings of the Google Security Team for reporting this issue to us.

Revisions:
  • This advisory was closed by Security Bulletin 1 on 4/15/08.
  • This advisory was first issued on 2/27/08.

Security Center

Security Center Home Security Advisories Security Bulletins
 
TechSmith Privacy Policy Online Store Order Security
1,490 Users Online
© 1995-2008, TechSmith Corporation, All Rights Reserved