Feeds

Buggy Flash code continues to plague the web

Cost and laziness fuel Evilness' assault

Top 5 reasons to deploy VMware with Tegile

CanSecWest More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said.

That means that an untold number of sites - many of them used for banking, ecommerce and other sensitive transactions - remain vulnerable to attacks that steal the personal details of their customers, said Rich Cannings, a Google information security engineer and one of a handful of researchers who went public with the vulnerability in late December. A few weeks later, he appealed for security professionals to audit all Flash applets stored on their sites and replace those that contained the vulnerabilities, but so far, few appear to have heeded his advice.

"I doubt many apps have been cleaned up at all," Cannings told the audience at Vancouver's CanSecWest conference. "It's a pain in the ass to fix these." There are 10,000 or more websites hosting the buggy content, he estimated.

Indeed, even Google hasn't gotten around to auditing all the ubiquitous SWF it serves, although engineers have mitigated the risk by hosting pages on numerical IP addresses that are balkanized from Google.com, Gmail.com and other domain names it uses. That prevents attackers from exploiting the buggy animations to inject malicious code when people access email, calendars and other Google services.

"A lot of other companies feel the kind of pain we feel," Cannings said. "I had a few major banks email me and say, 'Oh my God. This is a really big problem.'"

One reason for the difficulty is that many of the applets were created by third-party content creators months or years ago. When webmasters call the creators and ask for upgraded files, the third parties frequently say they no longer have copies of the old content, Cannings said. That means the only way to remove the vulnerabilities is to regenerate the content from scratch, at considerable cost to the website.

The security bugs reside in SWF files created by the most common programs for generating Flash applets, which animate sites across the web. Vulnerable content opens websites up to cross-site scripting (XSS) exploits, which allow attackers to inject code into the web pages being read by end users. Criminals could use the attack to pilfer a user's account details or perform withdrawals on behalf of a customer.

Adobe, Autodemo, TechSmith and InfoSoft and most other makers of software used to render Flash content have updated their products so they no longer produce buggy SWF files. But so far few users of these products have tapped the updates to regenerate vulnerable content, Cannings said.

In December, Google searches revealed more than 500,000 buggy applets, but the researchers, who also included members of penetration testing firm iSEC Partners, said the actual number was probably much higher. Since then Google has tweaked its search engine, so the same queries return only about 80,000 to 90,000 results.

But Cannings remains convinced that the number buggy files has barely budged, largely because of the amount of effort and people required to remove them.

Among the sites that do wind up in the search results are those belonging to a host of universities, government agencies and businesses, including one major bank. During an interview, Cannings showed us how to manipulate the uniform resource locators of a handful of these sites to force his own custom window to pop up when he clicked on the link. It read "evilness :-)"

While the pages he demonstrated were merely home pages and the pop-up was innocuous, he said it wouldn't take much effort to find vulnerable content tied to account login pages or other sensitive sections of a site. "That's how I can execute arbitrary javascript," he said with a sheepish grin. "I essentially have complete control of that user." ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.