Hosting News
Google Security Engineer Says, Check Your Flash!
2008-03-30
Warnings have been issued by a great many online security authorities that
Flash has security flaws, yet the warnings have fallen upon deaf ears.
The problems aren’t with the new versions of Flash files, but with the slightly
older ones, made with older authoring programs that were, are full of
vulnerabilities. These files are vulnerable to XSS (Cross-site Scripting)
attacks.
“ Things really haven't changed much since December. There are still a lot of
bugs out there. ”
Rich Cannings, information security engineer, Google
Using a specially-crafted Web address, an attacker could use a vulnerable Flash
file on a major Web site to gain access to the user's account on that site, once
the victim logs in. A bad Flash file on a banking site, for example, could put
that bank's customers at risk, allowing an attacker the ability to access the
victims' funds.
Cannings originally disclosed the issues in December, but has seen very little
activity on the part of Web-site developers to fix the flaws. The security
researcher tested major Web site that he uses regularly and found that every
single one still hosted old Flash files. He notified each company, and made sure
they had fixed the issues, before presenting his findings, he said.
"Things really haven't changed much since December," Cannings said. "There is
still a lot of bugs out there."
Until a few years ago, cross-site scripting issues were looked upon as
curiosities by most security researchers. With the advent of Web services --
frequently referred to as Web 2.0 -- cross-site scripting has become a much
greater hazard.
An attacker could use a vulnerable Flash file to get malicious JavaScript code
to run as if it came from a trusted Web site, bypassing a key protection known
as the same-origin policy. In January, Cannings released a paper on the issue to
security researchers.
Software developers have taken the issues seriously. Adobe plans to release a
new version of its Flash Player in early April that will prevent attackers from
exploiting the issues and, likely, break much of the Flash content on Web sites
that are unprepared for the changeover. The makers of major authoring tools have
also closed the security holes in the Flash files created by their tools.
However, until Web site developers rebuild their Flash multimedia with the
latest authoring tools, the older files still present on their company's Web
sites could be used by fraudsters to attack the site's users.
Other security researchers attending the CanSecWest conference agreed that the
problem is going to be hard to fix.
"There is no easy solution and that is concerning, " said Iván Arce, chief
technology officer for Core Security Technologies. "The broken code is created
by the authoring tools, so it is not going to get fixed anytime soon."
At the CanSecWest conference, Cannings demonstrated various ways of getting
malicious JavaScript code running on a trusted site using insecure Flash files.
The original paper in December focused on a single widespread issue in the Flash
scripting language, ActionScript, known as the asfunction() attack. However, he
found a half dozen other ways of exploiting Flash files as well, he told
attendees.
"When people click on links, they don't even know they are being attacked,"
Cannings said. "If they are logged into a bank, then the attacker could get
access to their account and they won't know it."
Flash is a danger because of its ubiquity on the Internet. Adobe estimates that
98 percent of Web users have the Adobe Flash Player installed. Flash is widely
used to create the advertisements hosted on most Web sites. Because the
advertisements are generally provided by third-party services, using the
affiliate networks to send out malicious Flash advertisements has become a
serious vector of attack. A group of researchers found that malicious Flash
advertisements could spread malicious code to more than 100,000 users for a fee
of $100.
"Sites that post advertisements don't know what sort of ads they are posting,"
Cannings said.
Upgrading to the next Flash player available next month is the most that users
can do right now -- aside from being more careful about which Web sites they
visit, Cannings said. Adobe has posted additional information on the coming
security update on its Web site.
|
 |
Links |
|
HostMonster $5.95/mo- 200GB Diskspace
- 2000GB Bandwidth
- Host Unlimited Domains
- SSH Access
- SSL FTP Stats
- CGI Ruby Perl PHP MySQL
- Free Domain
AN Hosting $6.95/mo- 250GB Diskspace
- 2500GB Bandwidth
- Host 20 Domains
- PHP RoR Python CGI SSI Unlimited MySQL DB
- Free Domain for Life
- 30 Day Money Back
- 99% Uptime Guarantee
PowWeb $7.77/mo- 300GB Diskspace
- 3000GB Bandwidth
- Host Unlimited Domains
- Load Balanced Technology
- DNS Management
- PHP4/5 Perl5 CGI SSI MySQL
- Daily Backup
|
 |
|
Hosting Companies |
|
|
|
|
Partners |
|
|
|
|
