Feeds

Buggy Flash code continues to plague the web

Cost and laziness fuel Evilness' assault

Beginner's guide to SSL certificates

CanSecWest More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said.

That means that an untold number of sites - many of them used for banking, ecommerce and other sensitive transactions - remain vulnerable to attacks that steal the personal details of their customers, said Rich Cannings, a Google information security engineer and one of a handful of researchers who went public with the vulnerability in late December. A few weeks later, he appealed for security professionals to audit all Flash applets stored on their sites and replace those that contained the vulnerabilities, but so far, few appear to have heeded his advice.

"I doubt many apps have been cleaned up at all," Cannings told the audience at Vancouver's CanSecWest conference. "It's a pain in the ass to fix these." There are 10,000 or more websites hosting the buggy content, he estimated.

Indeed, even Google hasn't gotten around to auditing all the ubiquitous SWF it serves, although engineers have mitigated the risk by hosting pages on numerical IP addresses that are balkanized from Google.com, Gmail.com and other domain names it uses. That prevents attackers from exploiting the buggy animations to inject malicious code when people access email, calendars and other Google services.

"A lot of other companies feel the kind of pain we feel," Cannings said. "I had a few major banks email me and say, 'Oh my God. This is a really big problem.'"

One reason for the difficulty is that many of the applets were created by third-party content creators months or years ago. When webmasters call the creators and ask for upgraded files, the third parties frequently say they no longer have copies of the old content, Cannings said. That means the only way to remove the vulnerabilities is to regenerate the content from scratch, at considerable cost to the website.

The security bugs reside in SWF files created by the most common programs for generating Flash applets, which animate sites across the web. Vulnerable content opens websites up to cross-site scripting (XSS) exploits, which allow attackers to inject code into the web pages being read by end users. Criminals could use the attack to pilfer a user's account details or perform withdrawals on behalf of a customer.

Adobe, Autodemo, TechSmith and InfoSoft and most other makers of software used to render Flash content have updated their products so they no longer produce buggy SWF files. But so far few users of these products have tapped the updates to regenerate vulnerable content, Cannings said.

In December, Google searches revealed more than 500,000 buggy applets, but the researchers, who also included members of penetration testing firm iSEC Partners, said the actual number was probably much higher. Since then Google has tweaked its search engine, so the same queries return only about 80,000 to 90,000 results.

But Cannings remains convinced that the number buggy files has barely budged, largely because of the amount of effort and people required to remove them.

Among the sites that do wind up in the search results are those belonging to a host of universities, government agencies and businesses, including one major bank. During an interview, Cannings showed us how to manipulate the uniform resource locators of a handful of these sites to force his own custom window to pop up when he clicked on the link. It read "evilness :-)"

While the pages he demonstrated were merely home pages and the pop-up was innocuous, he said it wouldn't take much effort to find vulnerable content tied to account login pages or other sensitive sections of a site. "That's how I can execute arbitrary javascript," he said with a sheepish grin. "I essentially have complete control of that user." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.