Two months after Adobe Systems
patched a serious flaw in its Flash development software, there are still hundreds
of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that
could be exploited by hackers, according to a Google researcher.

Google Security Engineer Rich Cannings discovered the widespread vulnerability
in his spare time while researching a book on Web security. It turned out that
many Flash development tools created files that could be used by hackers in
what's known as a cross-site scripting attack. This attack can be used in phishing,
but it also gives the bad guys a nearly undetectable route into a victim's bank
account or almost any type of Web service.

Cannings estimates that more than 10,000 Web sites are still affected by the
issue.

Cannings first noticed the bug on Google's Web site and tracked down the Google
employee responsible for the flaw: a sales representative who had been using
Dreamweaver to create buggy Flash files.

The bug was in other Flash development tools too, but Adobe and others quickly
patched their software after Cannings
disclosed his findings. The problem is that Flash files created before the
fix can still trigger the issue.

Google dealt with its old buggy files by moving all Flash animation to Web
servers that used numerical Internet Protocol addresses rather than the Google.com
domain. This made the cross-site scripting attack impossible on the Google.com
Web site. Engineers there didn't even try to repair the buggy Flash files because
it's "such a pain" to fix them, Cannings said. He spoke during a talk
at the CanSecWest security conference and in a follow-up interview.

But for many companies, moving Flash animation to a different domain may not
be an option. They are faced with rewriting their Flash files -- an expensive
job that is often outsourced to contractors by companies' sales or marketing
departments.

With Web site management also frequently outsourced, it's just not practical
for many companies to fix the issue the same way as Google, according to Dan
Hubbard, vice president of security research with Websense, a content-filtering
vendor.

But that doesn't mean that everyone is ignoring the issue. Fearing that their
customer accounts could be compromised by this type of attack, banks are cleaning
up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh
my God this is a big problem.' "

Hackers are not exploiting cross-site scripting bugs in a widespread way right
now. In fact, Cannings believes that these flaws have been over-hyped in recent
months. For Web sites like Google that contain sensitive customer information,
they are a very serious problem, but they are not as critical as, say, remote-code
execution flaws that would allow unauthorized software to run on a victim's
PC, he said.

Still, if the Flash issue is ever going to be addressed in a widespread fashion,
it's unlikely that anyone other than Adobe could really solve it, Cannings said.
Although it would be a massive technical challenge, changes could be made to
Adobe Flash Player software that would make these cross-site scripting attacks
impossible, Cannings said.

"I think Adobe should step up and fix it," he said.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine