Feeds

Buggy Flash code continues to plague the web

Cost and laziness fuel Evilness' assault

High performance access to file storage

CanSecWest More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said.

That means that an untold number of sites - many of them used for banking, ecommerce and other sensitive transactions - remain vulnerable to attacks that steal the personal details of their customers, said Rich Cannings, a Google information security engineer and one of a handful of researchers who went public with the vulnerability in late December. A few weeks later, he appealed for security professionals to audit all Flash applets stored on their sites and replace those that contained the vulnerabilities, but so far, few appear to have heeded his advice.

"I doubt many apps have been cleaned up at all," Cannings told the audience at Vancouver's CanSecWest conference. "It's a pain in the ass to fix these." There are 10,000 or more websites hosting the buggy content, he estimated.

Indeed, even Google hasn't gotten around to auditing all the ubiquitous SWF it serves, although engineers have mitigated the risk by hosting pages on numerical IP addresses that are balkanized from Google.com, Gmail.com and other domain names it uses. That prevents attackers from exploiting the buggy animations to inject malicious code when people access email, calendars and other Google services.

"A lot of other companies feel the kind of pain we feel," Cannings said. "I had a few major banks email me and say, 'Oh my God. This is a really big problem.'"

One reason for the difficulty is that many of the applets were created by third-party content creators months or years ago. When webmasters call the creators and ask for upgraded files, the third parties frequently say they no longer have copies of the old content, Cannings said. That means the only way to remove the vulnerabilities is to regenerate the content from scratch, at considerable cost to the website.

The security bugs reside in SWF files created by the most common programs for generating Flash applets, which animate sites across the web. Vulnerable content opens websites up to cross-site scripting (XSS) exploits, which allow attackers to inject code into the web pages being read by end users. Criminals could use the attack to pilfer a user's account details or perform withdrawals on behalf of a customer.

Adobe, Autodemo, TechSmith and InfoSoft and most other makers of software used to render Flash content have updated their products so they no longer produce buggy SWF files. But so far few users of these products have tapped the updates to regenerate vulnerable content, Cannings said.

In December, Google searches revealed more than 500,000 buggy applets, but the researchers, who also included members of penetration testing firm iSEC Partners, said the actual number was probably much higher. Since then Google has tweaked its search engine, so the same queries return only about 80,000 to 90,000 results.

But Cannings remains convinced that the number buggy files has barely budged, largely because of the amount of effort and people required to remove them.

Among the sites that do wind up in the search results are those belonging to a host of universities, government agencies and businesses, including one major bank. During an interview, Cannings showed us how to manipulate the uniform resource locators of a handful of these sites to force his own custom window to pop up when he clicked on the link. It read "evilness :-)"

While the pages he demonstrated were merely home pages and the pop-up was innocuous, he said it wouldn't take much effort to find vulnerable content tied to account login pages or other sensitive sections of a site. "That's how I can execute arbitrary javascript," he said with a sheepish grin. "I essentially have complete control of that user." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.