Camtasia (Windows): Cross-site Scripting in ExpressShow SWF Files

Date Issued
September 24th, 2010

Affected Software and Components
ExpressShow SWF Files generated by Camtasia Studio 6 and 7

Vulnerability Description
If Express Show SWF files are created by the above affected software and hosted on a website, then the website hosting the SWF file is vulnerable to cross-site scripting attacks.

This vulnerability requires that an attacker convince the victim to click on an attacker-created link to the vulnerable SWF file. When the Flash content is viewed by the victim, the victim's browser may take insecure, potentially harmful actions. These actions include modification of website content, sending website information such as cookies to the attacker, or redirection to malicious websites which attempt to install malware on the victim's machine.

Workarounds or Mitigations: In order to fix the issue please extract the two SWF files from the attached zip file and place them in the following directory.
C:\Program Files\TechSmith\Camtasia Studio 7\Media\Studio\Swf

You will be prompted that these files will overwrite the ones that are already there which is okay. Once the files have been overwritten restart Camtasia and reproduce your videos.

TechSmith would like to thank Isaac Dawson of the Veracode Research Team for reporting this issue to us.