Feeds

Buggy Flash code continues to plague the web

Cost and laziness fuel Evilness' assault

Remote control for virtualized desktops

CanSecWest More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said.

That means that an untold number of sites - many of them used for banking, ecommerce and other sensitive transactions - remain vulnerable to attacks that steal the personal details of their customers, said Rich Cannings, a Google information security engineer and one of a handful of researchers who went public with the vulnerability in late December. A few weeks later, he appealed for security professionals to audit all Flash applets stored on their sites and replace those that contained the vulnerabilities, but so far, few appear to have heeded his advice.

"I doubt many apps have been cleaned up at all," Cannings told the audience at Vancouver's CanSecWest conference. "It's a pain in the ass to fix these." There are 10,000 or more websites hosting the buggy content, he estimated.

Indeed, even Google hasn't gotten around to auditing all the ubiquitous SWF it serves, although engineers have mitigated the risk by hosting pages on numerical IP addresses that are balkanized from Google.com, Gmail.com and other domain names it uses. That prevents attackers from exploiting the buggy animations to inject malicious code when people access email, calendars and other Google services.

"A lot of other companies feel the kind of pain we feel," Cannings said. "I had a few major banks email me and say, 'Oh my God. This is a really big problem.'"

One reason for the difficulty is that many of the applets were created by third-party content creators months or years ago. When webmasters call the creators and ask for upgraded files, the third parties frequently say they no longer have copies of the old content, Cannings said. That means the only way to remove the vulnerabilities is to regenerate the content from scratch, at considerable cost to the website.

The security bugs reside in SWF files created by the most common programs for generating Flash applets, which animate sites across the web. Vulnerable content opens websites up to cross-site scripting (XSS) exploits, which allow attackers to inject code into the web pages being read by end users. Criminals could use the attack to pilfer a user's account details or perform withdrawals on behalf of a customer.

Adobe, Autodemo, TechSmith and InfoSoft and most other makers of software used to render Flash content have updated their products so they no longer produce buggy SWF files. But so far few users of these products have tapped the updates to regenerate vulnerable content, Cannings said.

In December, Google searches revealed more than 500,000 buggy applets, but the researchers, who also included members of penetration testing firm iSEC Partners, said the actual number was probably much higher. Since then Google has tweaked its search engine, so the same queries return only about 80,000 to 90,000 results.

But Cannings remains convinced that the number buggy files has barely budged, largely because of the amount of effort and people required to remove them.

Among the sites that do wind up in the search results are those belonging to a host of universities, government agencies and businesses, including one major bank. During an interview, Cannings showed us how to manipulate the uniform resource locators of a handful of these sites to force his own custom window to pop up when he clicked on the link. It read "evilness :-)"

While the pages he demonstrated were merely home pages and the pop-up was innocuous, he said it wouldn't take much effort to find vulnerable content tied to account login pages or other sensitive sections of a site. "That's how I can execute arbitrary javascript," he said with a sheepish grin. "I essentially have complete control of that user." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.