Vulnerabilities in Flash Applets Still Impairing Website Security

Google Security Researchers at the CanSecWest conference in Vancouver, said that too many sites, a number of which are used for economic, banking and other types of sensitive transactions, continue to be vulnerable to malware attacks. These threats typically lead to theft of customers' personal data.

Rich Cannings, Information Security Engineer, Google, appealed that security experts perform a security audit of all Flash applets maintain on their Websites and change those that are flawed, as reported by ChannelRegister on March 27, 2008.

Software vendors like Adobe and others have patched their development applications so they wouldn't create any more vulnerable Flash documents. However, it's not certain that all these different applets have been made free of vulnerabilities. For there is over 10,000 Websites that host the parasitic content, according to Cannings.

Even, Google still hasn't completed its audit of the omnipresent Shockwave Flash (SWF) it serves. However, engineers have lessened the threat by hosting Web pages on IP addresses Balkanized from Gmail.com, Google.com and its remaining domains.

One reason for the problem in auditing the omnipresent SWF is that it is third-party content developers who created several of the applets. So, when Webmasters ask them for the upgraded files, they often fail to produce the earlier content. This means that the vulnerabilities can be removed only by reproducing the content causing the Website to bear considerable costs.

Meanwhile, the security flaws exist in SWF files are the creation of programs that generate Flash applets, which give life to sites on the Web. Content vulnerable to attacks opens Websites to XSS (Cross-site Scripting) exploits that let attackers to insert malicious code into the sites' pages that end-users visit. So, criminals performing the attack could steal the account details of a user or withdraw funds in his/her name.

In December 2007, Google searches showed over 500,000 applets with bugs but the security researchers some of who were also from iSEC Partners, the penetration testing company, said that the exact number could be much higher. So, Google twisted its search engine to limit the results for the same requests between 80,000 and 90,000 hits.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 4/4/2008