Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

Adobe Repairs XSS Flaws in Shockwave Flash Files

On January 16, 2008, Adobe issued two security patches to safeguard affected systems from XSS or cross-site scripting attacks.

The productivity software vendor based in San Jose, Calif. patched flaws in Connect Enterprise Server 6, Contribute 4 and CS3, and Dreamweaver editions 8 and CS3 to repair bugs that could help launch XSS attacks on users' computers.

Vulnerability that arises due to input validation faults in Contribute and Dreamweaver affects systems that have Insert Flash video command deployed.

Adobe credited Rich Cannings, Security Researcher at Google, for reporting the flaws that are present in websites' .SWF, i.e., Shockwave Flash files.

Cannings posted on the Internet details of the threats in a Google's public Docs file this month (January 2008), warning that a number of web-authoring applications insert flawed ActionScript code into .SWF files. He said that hacking queries in Google could expose lakhs of flawed .SWF files, which affects important websites on the Internet. InformationWeek published this in news on January 18, 2008.

Canning wrote in his post that by exploiting these .SWF files, it is possible to launch cross-site scripting attacks. InformationWeek.com noted this on January 18, 2008.

Canning further explained that if any app on the web is subject to an XSS flaw, and a hacker entices a user running that program to click a link, then the resulting effect enables the attacker to compromise the user's surfing session in that web app.

Canning noted that the hacker could apply JavaScript to carry out activities seeming to be from the user, for instance, perform an online banking transaction. The hacker could also change the appearance of a website the user visits, such as in a phishing attack.

Chief Technology Officer, Jeremiah Grossman, at WhiteHat Security, told SCMagazine that XSS is currently the most prevalent type of flaw on the web. Grossman commented this on January 17, 2008.

A website named XSSed.com, which publishes a catalogue of XSS flaws reported in various websites, shows the XSS vulnerabilities reported in several high-profile domains such as google.com, yahoo.com, msn.com, and youtube.com. While some of these flaws have been repaired, others are still awaiting mending.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 1/30/2008

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next