10,000 Websites Containing Flash Applets are Vulnerable
Google security experts have warned the users of Flash applets about
the security loopholes in them. Google, along with iSEC, has
discovered this new problem, which cause serious harm to more than
500,000 Flash files available on public and banking websites by
opening them to from Cross-Site Scripting (XSS) strikes.
The security experts have said that security bugs, which cause harm
to files, are found in Flash applets, the building blocks for
graphics and movies that animate the sites across the World Wide Web.
The Flash applets are also known as SWF files and are most
susceptible to be attacked where malevolent strings pieces are
integrated into the authentic code via XSS.
Apparently, Adobe has been informed about the findings by the team of
security experts. But the researchers said that even the most recent
security update of Flash Player by Adobe is not able to protect
against the discovered dangers. The group is compiling details in a
new book - "Hacking Exposed Web 2.0" slated to this January in the
The team has also disclosed important information in regard of how to
overcome this problem. According to authors, security patches do not
guarantee solution to the problem because harmful codes are produced
when Flash Tools are created, including renowned one like Breeze,
Camtasia and Dream Weaver.
As per the findings of security experts, the loopholes open cookies
to be read out easily and the login information to be stolen easily,
for instance, through manipulated link with certain variables SWF
files can be executed.
The security experts have found that vulnerable data is quite easy to
remove. Attackers first search the vulnerable SWF files from website
directories and then each file is tested one by one.
There is no alternative to deal with this problem except removing the
SWF files. People should wait for new updates of authoring tools and
Flash players. Till Adobe does not come up with new updates, people
have to be careful in selecting the right kind of Flash applets.
Before using the Flash applets, make sure that it is manually tested,
stated Alex Stamos, one of the authors of the book, as reported by
Theregister on December 21, 2007.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 1/9/2008