Adobe’s Flash Files Expose Websites to XSS Attacks
The flaw in Shockwave Flash (SWF) files of Adobe, which was reported for the first time in December 2007, is currently leading several thousands websites to facilitate XSS (cross-site scripting) attacks. Security researchers explained that SWF files generate animated content and banner ads.
The vulnerable Flash files of Adobe can be conveniently abused by cyber-criminals to launch XSS and phishing assaults. There is high possibility that the vulnerability may lead to cookie hijacking. In other words, unaware users can be forwarded to phishing or malicious sites from the legitimate ones. Besides, the fraudsters can also intercept the users' password.
Security researchers have also found that the vulnerable Flash files could be easily used by criminals to make interference with the official sites belonging to government agencies, banks and several other reliable organizations.
It is highly interesting to note that Adobe has made a number of efforts to fix the same flaw several times in the past; however, the flaw is a complicated one and needs multi-stepped procedure to be fixed.
Webmasters should first patch application used by them to render SWF files. Afterwards, they should examine each and every file on webmaster's website and should regenerate each of the file detected of hosting a bug. The vulnerability is inside the clickTAG= parameter of the Flash file and can be conveniently manipulated to run malicious code in the browsers of the people who has viewed the susceptible content.
Moreover, probably millions of graphics files are required to be regenerated in order to fix the flaw.
Jeff Williams, Chief Executive Officer of Aspect Security (a web application security firm), warned the people by stating that any website including the ads having SWF files is exposed to XSS attacks, as reported by The Register on May 14, 2009.
Just recently, Adobe's very own webpage was found vulnerable to the aforementioned XSS vulnerability. According to security experts, apart from Adobe.com, some other websites vulnerable to XSS attacks are Greek electronics vendor Plaiso.gr and Marfin Egnatia Bank. These websites could result in various malicious assaults, such as malicious scripting or phishing.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 18-05-2009