Loophole detected in "Camtasia Studio"

November 30, 2009;

Michael Schmidt, Security Analyst at Compass, has analysed a flash application which has been created with the software "Camtasia Studio" by TechSmith. In doing so he has detected a security gap which enables Cross Site Scripting (XSS). Compass promptly informed the manufacturer so that the vulnerability could be remediated. The patch is now available.

Problem recognised
Michael Schmidt of Compass was ordered to analyse flash videos, which had been generated with "Camtasia Studio", on a customer Website. He had to check whether these were safe. The security analysis pinpointed the weaknesses. By making use of these, the specialist managed to perform various manipulations: He was able to modify texts in the flash video, execute Java Script codes in the context of the Website and to redirect the user to various URLs.

The expert states that a faulty application may cause substantial damage to a safe Web application. He regards the security gap unveiled as significant. Affected by this are many flash applications which contain no business logic at all, but serve the only purpose of improving the "Look & Feel" of a site.

Problem eliminated
The manufacturer TechSmith has immediately reacted to the notice of Compass and published a patch for "Camtasia Studio". Thus the security gap has been closed. Further information on this weakness is available under the following link on the TechSmith Website:

Links:	http://www.techsmith.com/security/bulletins/B2_ConfigurationManipulationinFlashSWFFiles.asp

News

Compass invites to the Security Event 2010
6/7/10 - On Thursday, September 09, 2010 Compass Security AG organise their annual "Compass Event". For this seminar the ICT security service provider invites customers and other interested persons to the auditorium of the HSR University of Applied Sciences in Rapperswil / Switzerland. From 08:30 to 17:00 the participants benefit from the latest findings and experiences about ITC security in the frame of presentations, Live-Hacking demonstrations and speeches. A red-hot topic is brought up by Nicolas Seriot in his guest speech "iPhone-Hacking".

New at Compass: "FileBox" as an Appliance
5/25/10 - Compass Security AG have further developed their Web based transfer solution "File Box" and launched an appliance. Companies keep thus complete control of their data as the appliance is located on their own premises. The multitenant solution addresses mainly target groups who are dependent on a safe data transfer with customers or business partners, such as banks, insurance companies, chartered accountants, trustees, lawyers or medical doctors.

Hacking-Lab Remote: Rent a Professional IT Security Lab
4/13/10 - For imparting knowledge on IT security topics such as the OWASP TOP 10, OSSTMM and other attacking respectively defence measures in a practical way, high schools and companies no longer need to invest in their own security lab. Using the Hacking-Lab of Compass Security AG users have access via Internet to an interactive lab environment. The ICT security service provider makes students and employees more familiar with current cyber threats, attacking strategies and defence measures.

Evening event of ISSS on "Cyber Crime in Switzerland"
2/23/10 - Ivan Bütler, Compass managing director, is organizing the "1st ISSS St Gall conference" together with Dr. Lukas Ruf. On Thursday, April 29, 2010, interested people are meeting in order to gain an up-to-date overview in the field of computer crime an to become familiar with the developments.

Compass hacks live at CeBIT
2/22/10 - Marco Di Filippo, Regional Director Germany of Compass Security AG takes on the role of the hacker at CeBIT and puts modern technologies to the test. On the CeBIT platforms of the media partner Network Computing and of the anti virus specialist Avira he is going to x-ray data centers and mobile devices such as iPhone, Blackberry, etc. regarding their safety compliance.