Potential standalone Flash Player security issue

Recently a new virus has been discovered, a virus that infects SWF files ( Flash movies).
The discovery is done by the Sophos Anti-virus company. The name given to the virus is SWF/LFM-926.

[ NEWS ]

Macromedia has released January 24, 2002 a patch for the Standalone Macromedia Flash Player (that disables the "exec" command). Users who have the Standalone Macromedia Flash Player installed on their machines should download:
Standalone Macromedia Flash Player Update for Windows (TechNote 16167). Flash authors should read the TechNote thoroughly before installing.

Official Macromedia Page: http://www.macromedia.com/support/flash/ts/documents/standalone_update.htm

My comments

The virus acts only when an infected SWF file is played in the standalone Flash Player, therefore the problem doesn't exist if we visualize Flash movies inside a browser.

How does it work?

When the SWF file is opened in Flash standalone Player, the virus creates a program that infects only other Flash files on the same system with the same virus.

How is it possible?

It is NOT possible, with the actual version of Flash, to create virus, i.e. a program capable to write on other files, infecting them. Simply because Flash is not equipped with ActionScript that allow to access to the hard disk. This way, for now, while we are browsing in the internet we cannot be infected by a Flash virus.
Nevertheless (and almost certainly this is the method used by the virus in matter), the possibility to write on the hard disk a file with Flash exists, thanks to the Flash Player and thanks to a particular ActionScript that uses fsCommand (the same code in a browser is ignored).
This way, with Flash Player and the special command, it is possible to write a file on disk.
Now give a .exe extension to this file, put inside it a malicious code (not ActionScript) and make execute it by the Flash Player through the command EXEC, and the game is done!
The malicious code (written in a language able to access the disk as Visual Basic, Java, C, etc.) can be stored in a Flash variable and this variable can be saved on a file on disk thanks to the Flash Player.

Simple, and very dangerous. Today SWF/LFM-926 is limited to duplicate itself inside the other Flash files, tomorrow it can format your disk.

The whole problem resides in the fact that Flash Player can write on the disk.

Macromedia has immediately released a patch - SWF Clear Utility - from the same Macromedia defined as a " initial workaround " for the problem. The patch limit itself to eliminate the association of the SWF files with the Flash Player from Windows register, in such way that when you double click on a SWF file this is not opened by the Flash Player.
We will see what Macromedia will contrive for giving a concrete remedy to the problem. Maybe a version of Flash Player with the command for write on disk disabled?

Official Macromedia Page: http://www.macromedia.com/support/flash/ts/documents/swf_clear.htm

Comments? Click Here.