Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Widespread Flash file flaws allows cross-site scripting attacks

Updated Friday, Jan. 4, 2008, at 10:47 a.m. EST

An attacker can carry out cross-site scripting (XSS) attacks on a vulnerable system through newly disclosed vulnerabilities in Shockwave Flash (SWF) files.

The flaws, which can be found by the thousand via search engine, are caused by an error in the way that input is validated when passed to embedded ActionScript and JavaScript in Flash files, according to the US-CERT, which warned about the issue in an advisory updated today.

Websites hosting vulnerable Flash files are exploitable by an XSS attack in the context of the domain hosting the vulnerable file, as well as attacks that spoof or modify online content, according to the cybersecurity division of the U.S. Department of Homeland Security.

Rich Cannings, a member of the Google Security Team, who reported the issue to the federal government, noted that vulnerabilities in widely used web authoring tools for generating SWF files are at fault for the issue. The flaws exist in Adobe's Dreamweaver and Acrobat Connect Professional, InfoSoft FusionCharts and Techsmith Camtasia, all of which have patches available for the flaw.

Cannings noted that the issue exists in other tools, but that he would not disclose which ones until they patch the issue. The researcher urged end-users to update to the latest version of Flash Player Plugin, website owners to remove vulnerable SWFs from their websites, and developers test SWFs before placing them online.

There were a half million flawed SWF files online by last month, Cannings told today.

"This issue is widespread. Currently, there are hundreds of thousands of vulnerable SWFs on the internet," he said. "Prior to Dec. 3, there were more than 500,000 vulnerable SWFs."

An XSS attack can allow an attacker to gain complete control of the user's session in the application, then use JavaScript to perform an action, such as a bank transaction, on behalf of the user.

Adobe disclosed that it will address the XSS issues in SWFs “early this year” with an update. The San Jose, Calif.-based company will release a revised version for pre-generated SWF files in Adobe software, including XSS prevention, this month, according to a Dec. 23 advisory which ranked the issue as “important.”

Pallav Nadhani, a member of InfoSoft's FusionCharts Team, told today that his company released a patch for the issue last month, adding that an attacker would have to create a phishing website and redirect an end-user to the site before employing malicious JavaScript.

Representatives from Techsmith could not be immediately reached for comment.

Jeremiah Grossman, chief technology officer of WhiteHat Security, told today that the issue will take a considerable amount of time to fix because of the high numbers of end-users who must patch PCs as well as the high amount of SWF files available on the web.

“[Vulnerable Flash files] show up in the thousands on so many sites, and all of these files will have to be removed or updated,” he said. “Actually getting all of the work done is going to take a long time.”

Grossman compared the issue to a year-old vulnerability in an Adobe Acrobat Reader plug-in that makes PDF-friendly websites susceptible to XSS attacks, worms and the theft of cookies and session information. The flaw was initially disclosed by researchers Stefano Di Paola and Giorgio Fedon in late 2006.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.