Google: Web sites slow to fix serious Flash flaws

Nearly three months after reporting a cross-site scripting flaw in Flash, Google has found that many Web sites still suffer from the bug

Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.

Google Security Engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.

Cannings estimates that more than 10,000 Web sites are still affected by the issue.

Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.

The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.

Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical Internet Protocol addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest security conference and in a follow-up interview.

But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.

With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.

But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.' "

Hackers are not exploiting cross-site scripting bugs in a widespread way right now. In fact, Cannings believes that these flaws have been over-hyped in recent months. For Web sites like Google that contain sensitive customer information, they are a very serious problem, but they are not as critical as, say, remote-code execution flaws that would allow unauthorized software to run on a victim's PC, he said.

Still, if the Flash issue is ever going to be addressed in a widespread fashion, it's unlikely that anyone other than Adobe could really solve it, Cannings said. Although it would be a massive technical challenge, changes could be made to Adobe Flash Player software that would make these cross-site scripting attacks impossible, Cannings said.

"I think Adobe should step up and fix it," he said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?