Adobe is working on an update
to its Flash Player software that will address a widespread vulnerability found
on hundreds of thousands of Web sites.
The issue, first reported in December by Google researcher Rich Cannings, allows
attackers to use buggy Shockwave Flash (.swf) files in order to attack Web surfers.
Using what is known as a cross-site scripting attack, criminals could create
fake phishing pages or, much worse, gain access to online banking sessions or
Web accounts of victims in some situations.
After Cannings went public with his findings, Adobe and other software vendors
fixed their development tools so they would no longer create the vulnerable
Flash files, but there are still more than 500,000 of these files posted on
different sites on the Internet, according to Cannings.
Because of the amount of work it would take to clean up the mess, Cannings
had been encouraging Adobe to make changes to its Player software that would
nullify these cross-site scripting attacks.
This fix is being developed and will be available "soon," said Adobe
spokesman Matt Rozen in an e-mail message.
Security experts say that Adobe's chief problem now is to work out a way of
fixing this bug without making it hard for users to view older Flash files.
In an interview on Friday, Cannings said that some of Adobe's early approaches
to this problem had "broken" existing Flash files in the player, but
that a satisfactory fix was technically possible. If Adobe could convince browser-makers
to make some changes as well, it might simplify things, he added.
Three months after he went public with the problem, Cannings estimates that
more than 10,000 Web sites remain
vulnerable to this attack.
