Flash flaw puts most sites, users at risk, say researchers
'Frighteningly bad thing,' said Foreground Security, of flaw allowing hackers to hijack sites, attack users
By Gregg Keizer
November 12, 2009 04:17 PM ET
Computerworld - Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today.
Adobe did not dispute the researchers' claims, but said that Web designers and administrators have a responsibility to craft their applications and sites to prevent such attacks.
"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."
The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site -- through its user-generated content capabilities, which typically allow people to upload files to the site or service -- they can execute malicious scripts in the context of that domain.
"This is a frighteningly bad thing," Bailey said. "How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."
It's like waiting for Duke Nukem Forever.
