search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Macromedia Flash Player continues to download flash files until browser is closed

Vulnerability Note VU#128491

Original Release Date: 2002-08-09 | Last Revised: 2002-12-10

Overview

Macromedia Flash 6 does not terminate connections when a web user leaves the page. These connections may consume excessive amounts of bandwidth and limit the flow of other data.

Description

The Macromedia Flash media format enables frame-based animations with sound to be viewed within a web browser. Flash uses a scripting language called ActionScript, which includes the commands loadMovie and loadSound to download associated video and audio clips.

It is typical and generally expected for downloads of embedded web page elements to cease when a user leaves one web page for another. However, in version 6 of the Flash player plug-in for Microsoft Internet Explorer (IE), connections started by the loadMovie and loadSound commands persist after the user has left the web page containing the Flash animation. These connections remain open for downloading video or audio, which can be relatively large and exhaustive of the user's bandwidth to the Internet.

Impact

An attacker could trick a victim into downloading a maliciously crafted Flash animation from the Web. Upon playback of the malicious animation, the victim's Flash Player software would open several multimedia connections and consume all available bandwidth, effectively making the Internet unusable until the victim closed IE.

Solution

Update Flash Player 6 to a version later than 6,0,25,0. For more info, see:

http://www.macromedia.com/software/flashplayer/

If you notice sluggishness in Internet connections after visiting a page containing a Flash animation, try closing IE to terminate any Flash connections.

Vendor Information

128491
 
Expand all

Macromedia Inc. Affected

Notified:  April 15, 2002 Updated: June 12, 2002

Status

Affected

Vendor Statement

"When loading media files into Macromedia Flash Player 6, the media will continue to load even if Macromedia Flash Player 6 makes additional requests for media (i.e. .swf, .jpg or .mp3 files), or if the user leaves the webpage.

"In most cases this will not affect performance, but with larger media files, users may notice a degradation of Internet bandwidth available during the period that the media is downloaded to Macromedia Flash Player 6. Once the media has downloaded, then the bandwidth available will resume to its previous state.

"This issue only occurs in the ActiveX version of Macromedia Flash Player available for Microsoft Internet Explorer on Microsoft Windows platforms.

"Macromedia has isolated the issue and will be releasing an updated browser player for all platforms.... The new player will be greater than version 6,0,25,0 and will be available for download in the next 5-7 business days from:

http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash

"Macromedia will also be providing updated HTML that developers can use to ensure that their users automatically receive the updated Macromedia Flash Player. A TechNote detailing this will be available when we release the updated Macromedia Flash Player at the following URL:

http://www.macromedia.com/go/16267 "

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Dan Browder for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.86
Date Public: 2002-04-03
Date First Published: 2002-08-09
Date Last Updated: 2002-12-10 22:59 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis