Adobe Repairs XSS Flaws in Shockwave Flash Files
On January 16, 2008, Adobe issued two security patches to safeguard affected systems from XSS or cross-site scripting attacks.
The productivity software vendor based in San Jose, Calif. patched flaws in Connect Enterprise Server 6, Contribute 4 and CS3, and Dreamweaver editions 8 and CS3 to repair bugs that could help launch XSS attacks on users' computers.
Vulnerability that arises due to input validation faults in Contribute and Dreamweaver affects systems that have Insert Flash video command deployed.
Adobe credited Rich Cannings, Security Researcher at Google, for reporting the flaws that are present in websites' .SWF, i.e., Shockwave Flash files.
Cannings posted on the Internet details of the threats in a Google's public Docs file this month (January 2008), warning that a number of web-authoring applications insert flawed ActionScript code into .SWF files. He said that hacking queries in Google could expose lakhs of flawed .SWF files, which affects important websites on the Internet. InformationWeek published this in news on January 18, 2008.
Canning wrote in his post that by exploiting these .SWF files, it is possible to launch cross-site scripting attacks. InformationWeek.com noted this on January 18, 2008.
Canning further explained that if any app on the web is subject to an XSS flaw, and a hacker entices a user running that program to click a link, then the resulting effect enables the attacker to compromise the user's surfing session in that web app.
Chief Technology Officer, Jeremiah Grossman, at WhiteHat Security, told SCMagazine that XSS is currently the most prevalent type of flaw on the web. Grossman commented this on January 17, 2008.
A website named XSSed.com, which publishes a catalogue of XSS flaws reported in various websites, shows the XSS vulnerabilities reported in several high-profile domains such as google.com, yahoo.com, msn.com, and youtube.com. While some of these flaws have been repaired, others are still awaiting mending.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 30-01-2008