Feeds

Buggy Flash code continues to plague the web

Cost and laziness fuel Evilness' assault

Website security in corporate America

CanSecWest More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said.

That means that an untold number of sites - many of them used for banking, ecommerce and other sensitive transactions - remain vulnerable to attacks that steal the personal details of their customers, said Rich Cannings, a Google information security engineer and one of a handful of researchers who went public with the vulnerability in late December. A few weeks later, he appealed for security professionals to audit all Flash applets stored on their sites and replace those that contained the vulnerabilities, but so far, few appear to have heeded his advice.

"I doubt many apps have been cleaned up at all," Cannings told the audience at Vancouver's CanSecWest conference. "It's a pain in the ass to fix these." There are 10,000 or more websites hosting the buggy content, he estimated.

Indeed, even Google hasn't gotten around to auditing all the ubiquitous SWF it serves, although engineers have mitigated the risk by hosting pages on numerical IP addresses that are balkanized from Google.com, Gmail.com and other domain names it uses. That prevents attackers from exploiting the buggy animations to inject malicious code when people access email, calendars and other Google services.

"A lot of other companies feel the kind of pain we feel," Cannings said. "I had a few major banks email me and say, 'Oh my God. This is a really big problem.'"

One reason for the difficulty is that many of the applets were created by third-party content creators months or years ago. When webmasters call the creators and ask for upgraded files, the third parties frequently say they no longer have copies of the old content, Cannings said. That means the only way to remove the vulnerabilities is to regenerate the content from scratch, at considerable cost to the website.

The security bugs reside in SWF files created by the most common programs for generating Flash applets, which animate sites across the web. Vulnerable content opens websites up to cross-site scripting (XSS) exploits, which allow attackers to inject code into the web pages being read by end users. Criminals could use the attack to pilfer a user's account details or perform withdrawals on behalf of a customer.

Adobe, Autodemo, TechSmith and InfoSoft and most other makers of software used to render Flash content have updated their products so they no longer produce buggy SWF files. But so far few users of these products have tapped the updates to regenerate vulnerable content, Cannings said.

In December, Google searches revealed more than 500,000 buggy applets, but the researchers, who also included members of penetration testing firm iSEC Partners, said the actual number was probably much higher. Since then Google has tweaked its search engine, so the same queries return only about 80,000 to 90,000 results.

But Cannings remains convinced that the number buggy files has barely budged, largely because of the amount of effort and people required to remove them.

Among the sites that do wind up in the search results are those belonging to a host of universities, government agencies and businesses, including one major bank. During an interview, Cannings showed us how to manipulate the uniform resource locators of a handful of these sites to force his own custom window to pop up when he clicked on the link. It read "evilness :-)"

While the pages he demonstrated were merely home pages and the pop-up was innocuous, he said it wouldn't take much effort to find vulnerable content tied to account login pages or other sensitive sections of a site. "That's how I can execute arbitrary javascript," he said with a sheepish grin. "I essentially have complete control of that user." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.