Digg this story   Add to del.icio.us  
Web developers, fix thy Flash
Robert Lemos, SecurityFocus 2008-03-28

Vancouver, CANADA -- Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears, a security researcher told attendees here at the CanSecWest security conference.

While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds.

Cannings originally disclosed the issues in December, but has seen very little activity on the part of Web-site developers to fix the flaws. The security researcher tested major Web site that he uses regularly and found that every single one still hosted old Flash files. He notified each company, and made sure they had fixed the issues, before presenting his findings, he said.

"Things really haven't changed much since December," Cannings said. "There is still a lot of bugs out there."

Until a few years ago, cross-site scripting issues were looked upon as curiosities by most security researchers. With the advent of Web services -- frequently referred to as Web 2.0 -- cross-site scripting has become a much greater hazard. An attacker could use a vulnerable Flash file to get malicious JavaScript code to run as if it came from a trusted Web site, bypassing a key protection known as the same-origin policy. In January, Cannings released a paper on the issue to security researchers.

Software developers have taken the issues seriously. Adobe plans to release a new version of its Flash Player in early April that will prevent attackers from exploiting the issues and, likely, break much of the Flash content on Web sites that are unprepared for the changeover. The makers of major authoring tools have also closed the security holes in the Flash files created by their tools.

However, until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users.

Other security researchers attending the CanSecWest conference agreed that the problem is going to be hard to fix.

"There is no easy solution and that is concerning, " said Iván Arce, chief technology officer for Core Security Technologies. "The broken code is created by the authoring tools, so it is not going to get fixed anytime soon."

At the CanSecWest conference, Cannings demonstrated various ways of getting malicious JavaScript code running on a trusted site using insecure Flash files. The original paper in December focused on a single widespread issue in the Flash scripting language, ActionScript, known as the asfunction() attack. However, he found a half dozen other ways of exploiting Flash files as well, he told attendees.

"When people click on links, they don't even know they are being attacked," Cannings said. "If they are logged into a bank, then the attacker could get access to their account and they won't know it."

Flash is a danger because of its ubiquity on the Internet. Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack. A group of researchers found that malicious Flash advertisements could spread malicious code to more than 100,000 users for a fee of $100.

"Sites that post advertisements don't know what sort of ads they are posting," Cannings said.

Upgrading to the next Flash player available next month is the most that users can do right now -- aside from being more careful about which Web sites they visit, Cannings said. Adobe has posted additional information on the coming security update on its Web site.

If you have tips or insights on this topic, please contact SecurityFocus.

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus