Updated Friday, Jan. 4, 2008, at 10:47 a.m. EST
Websites hosting vulnerable Flash files are exploitable by an XSS attack in the context of the domain hosting the vulnerable file, as well as attacks that spoof or modify online content, according to the cybersecurity division of the U.S. Department of Homeland Security.
Rich Cannings, a member of the Google Security Team, who reported the issue to the federal government, noted that vulnerabilities in widely used web authoring tools for generating SWF files are at fault for the issue. The flaws exist in Adobe‘s Dreamweaver and Acrobat Connect Professional, InfoSoft FusionCharts and Techsmith Camtasia, all of which have patches available for the flaw.
Cannings noted that the issue exists in other tools, but that he would not disclose which ones until they patch the issue. The researcher urged end-users to update to the latest version of Flash Player Plugin, website owners to remove vulnerable SWFs from their websites, and developers test SWFs before placing them online.
There were a half million flawed SWF files online by last month, Cannings told SCMagazineUS.com today.
“This issue is widespread. Currently, there are hundreds of thousands of vulnerable SWFs on the internet,” he said. “Prior to Dec. 3, there were more than 500,000 vulnerable SWFs.”
Adobe disclosed that it will address the XSS issues in SWFs “early this year” with an update. The San Jose, Calif.-based company will release a revised version for pre-generated SWF files in Adobe software, including XSS prevention, this month, according to a Dec. 23 advisory which ranked the issue as “important.”
Representatives from Techsmith could not be immediately reached for comment.
Jeremiah Grossman, chief technology officer of WhiteHat Security, told SCMagazineUS.com today that the issue will take a considerable amount of time to fix because of the high numbers of end-users who must patch PCs as well as the high amount of SWF files available on the web.
“[Vulnerable Flash files] show up in the thousands on so many sites, and all of these files will have to be removed or updated,” he said. “Actually getting all of the work done is going to take a long time.”
Grossman compared the issue to a year-old vulnerability in an Adobe Acrobat Reader plug-in that makes PDF-friendly websites susceptible to XSS attacks, worms and the theft of cookies and session information. The flaw was initially disclosed by researchers Stefano Di Paola and Giorgio Fedon in late 2006.