, SecurityFocus 2008-03-28
Vancouver, CANADA -- Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears, a security researcher told attendees here at the CanSecWest security conference.
While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds.
Cannings originally disclosed the issues in December, but has seen very little activity on the part of Web-site developers to fix the flaws. The security researcher tested major Web site that he uses regularly and found that every single one still hosted old Flash files. He notified each company, and made sure they had fixed the issues, before presenting his findings, he said.
"Things really haven't changed much since December," Cannings said. "There is still a lot of bugs out there."
Software developers have taken the issues seriously. Adobe plans to release a new version of its Flash Player in early April that will prevent attackers from exploiting the issues and, likely, break much of the Flash content on Web sites that are unprepared for the changeover. The makers of major authoring tools have also closed the security holes in the Flash files created by their tools.
However, until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users.
Other security researchers attending the CanSecWest conference agreed that the problem is going to be hard to fix.
"There is no easy solution and that is concerning, " said Iván Arce, chief technology officer for Core Security Technologies. "The broken code is created by the authoring tools, so it is not going to get fixed anytime soon."
asfunction() attack. However, he found a half dozen other ways of exploiting Flash files as well, he told attendees.
"When people click on links, they don't even know they are being attacked," Cannings said. "If they are logged into a bank, then the attacker could get access to their account and they won't know it."
Flash is a danger because of its ubiquity on the Internet. Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack. A group of researchers found that malicious Flash advertisements could spread malicious code to more than 100,000 users for a fee of $100.
"Sites that post advertisements don't know what sort of ads they are posting," Cannings said.
Upgrading to the next Flash player available next month is the most that users can do right now -- aside from being more careful about which Web sites they visit, Cannings said. Adobe has posted additional information on the coming security update on its Web site.
If you have tips or insights on this topic, please contact SecurityFocus.