Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week.
While pinpointing which sites are running vulnerable Flash files is difficult, hundreds of thousands of Web sites could be affected, Web security researcher Jeremiah Grossman wrote on his blog this weekend.
"Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down," wrote Grossman, who is the chief technology officer for WhiteHat Security. 'Were going to have to figure out ways decompile (or) reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application."
The issue is separate from a vulnerability in Flash files that Adobe fixed last month, the researchers said. Adobe issued a patch in December to fix ten critical vulnerabilities in its Flash software, among them modifications to eliminate cross-site scripting attacks using the
asfunction: protocol handler (corrected) and
navigateToURL() function. On December 24, InfoSoft fixed its cross-site scripting issue by allowing only the loading of relative URLs, not absolute URLs.
Grossman stressed that vulnerable Flash animations will remain on the Web for some time, as Web developers first have to patch their authoring tools, then create new Flash files and upload those files to their sites. In many cases, a third-party developer maintains the Web site, which will increase delays, he said.
If you have tips or insights on this topic, please contact SecurityFocus.
CORRECTION: An 's' was dropped from Richard Cannings name in the original article, and
asfunction: should have been referred to as a protocol handler.
Posted by: Robert Lemos