Camtasia (Windows): Configuration Manipulation and Cross-site Scripting Vulnerabilities in Flash SWF Files

Date Issued 

October 27th, 2009

Affected Software and Components

Flash SWF files created using Camtasia Studio 6.01, 6.02, and 6.03 with the Express Show template with SWF output. Flash SWF files created using Camtasia Studio with other templates are not affected. The vulnerability can be executed in FireFox, Safari, and Google Chrome browsers.

Vulnerability Description 

If Flash SWF files are created by the above affected software and then embedded in a website, the website hosting the Flash content may be vulnerable to SWF player configuration manipulation and cross-site scripting attacks. An attacker can craft links to the vulnerable Flash content in order to perform a cross-site scripting attack: when the vulnerable Flash content is viewed by a website visitor, the visitor's Flash player may take insecure, potentially harmful actions. These actions include modification of website content, sending website information such as cookies to the attacker, and redirection to arbitrary websites. The attacker can also modify the configuration of the SWF file to display attacker-specified text, pause at arbitrary times, and link to attacker-specified URLs.

Workaround or Mitigations

In order to fix the issue please extract the two SWF files from the attached zip file and place them in the following directory.

C:\Program Files\TechSmith\Camtasia Studio 6\Media\Studio\Swf

You will be prompted that these files will overwrite the ones that are already there which is okay. Once the files have been overwritten restart Camtasia and reproduce your videos to SWF.

Once the fix has been applied, customers with vulnerable SWF files hosted on a website should reproduce the SWF file. The newly reproduced SWF file will not be vulnerable and can replace the old vulnerable SWF file.

Customers concerned about viewing Flash content can view Flash SWF files using Internet Explorer or Opera which are not affected by this issue.

Additional Information

No other TechSmith products or services are affected by this vulnerability. All SWF files hosted by TechSmith's Screencast.com media hosting site are not affected by this vulnerability. Input parameters passed to the SWF files hosted on Screencast.com are provided by the Screencast.com service, which mitigates this vulnerability. SWF files produced by Jing and Camtasia Relay are not affected by this vulnerability. All other TechSmith products do not produce or use SWF files.

Acknowledgements

TechSmith would like to thank Michael Schmidt of Compass Security Network Computing for reporting this issue to us and working with us while we developed a fix.

Was this article helpful?
1 out of 1 found this helpful