Flash Flaw could lead to Phishing Flood

Posted by Edward in Security on Dec 22nd, 2007 | no responses
If you like this article, please share it with your friends:

An article published today on The Register says that a security vulnerability has been discovered in one of the Web’s most widely distributed third-party applications. Flash applets – the executable SWF file that are produced by numerous authoring tools, including Abode’s own Creative Suite, TechSmith Camtasia, InfoSoft FusionCharts, software from Autodemo and many more – are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS.

The particular exploit is documented in a soon-to-be-release Web 2.0 security book (“Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions“), but, in essence, the vulnerability allows hackers to exploit Internet users’ ignorance and phish (steal by deception) private information from them. Here is a summary of how the exploit could work:

A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer’s authentication cookies or login credentials to be sent to the attacker.

“Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated,” says Alex Stamos, one of the book’s authors. “In the mean time, people will have to think: ‘What kind of flash am I using on my site,’ and manually test for vulnerabilities.”

And he’s not joking – the book’s authors (who work for penetration testing firm iSEC Partners as well as for Google) say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites (the most likely targets of phishing attacks).

Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix. Eradicating the problem will require updates to all of the authoring tools so they no longer generate buggy Flash content. And even then, security professionals will have to analyze all of a website’s SWF files and recompile any that are found to be vulnerable.

Full story: Serious Flash vulns menace tens of thousands websites | The Register

Reblog this post [with Zemanta]
Delicious
Save

Leave a Reply

Subscription Options

Subscribe via RSS Subscribe via Email

Popular Posts

Tags

apple arctic Carbon footprint censorship climate change cloud computing co2 Design Domain Name System Dropbox Earth energy Facebook Flash flooding global warming Graphic Design Greenhouse gas health ice internet iPhone law LinkedIn Live Mesh marketing media Microsoft Peer-to-peer Philosophy Renewable security SEO Social media Social Network spam SugarSync tax transport twitter Web 2.0 Web design Web Hosting Website Wi-Fi

TwitterCounter

FeedBurner Stats

Powered by Wordpress