Flash Bug Prompts Calls for Code Rewriting

LOS ANGELES – According to Google, hundreds of thousands of vulnerable Flash files are currently on the Internet, including files found at a large number of major websites.

The danger stems from a Cross-Site Scripting (XSS) exploit of Shockwave Flash (SWF) files generated by most of the programs that create Flash applets that allows attackers to access data on targeted websites; such as usernames and passwords, or even performing unauthorized online banking transactions.

The problem may be particularly acute for adult website operators, who have increasingly made use of Flash technology in advertisements and video files and often rely on Adobe's popular DreamWeaver software for website development – one of the tools that generate the vulnerable files.

"If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application," Google's Rich Cannings wrote. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack)."

While security experts have warned of additional vulnerabilities, the XSS exploit was made public after companies such as Adobe updated their software to eliminate the bug.

Now, experts are recommending that all existing Flash files be removed from websites until they can be regenerated with the newest versions of these tools to address the issue.

Cannings also recommends that SWF files be served from numbered IP addresses or from separate domains from the site that features the Flash files.

"If there's an issue on a bank, the impact of an XSS is pretty large," Cannings said. "In other words, it's a huge amount of work, but well worth it for trusted sites that want to remain that way."

Expanding on the causes of the vulnerability, Cannings reported that DreamWeaver's "skinName" parameter can be used to load URLs containing the "asfunction" handler; while Adobe Acrobat Connect makes files that do not validate the "baseurl" parameter, which can allow malicious scripts to be injected into targeted websites.

The complete report can be read here.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Woodhull Urges the Supreme Court to Find Texas AV Law Unconstitutional

The Woodhull Freedom Foundation and the Electronic Frontier Foundation submitted a brief to the United States Supreme Court on Thursday, urging the justices to rule against Texas’ age verification law.

AEBN Publishes Popular Searches for March and April

AEBN has released the top search terms for the months of  March and April from its straight and gay theaters in all 50 states and the District of Columbia.

2024 XBIZ Creator Awards Winners Announced

Winners of the 2024 XBIZ Creator Awards were revealed Wednesday evening during a live ceremony at E11EVEN Nightclub in Miami, Florida. The event, presented by Fansly, was hosted by Siri Dahl and Little Puck.

'90s Japanese Performer Sues to Remove Titles from Streaming Site

Former Japanese performer Miyuki Ariga is suing the Fanza adult streaming site at the Tokyo District Court to remove four titles in which she appeared in 1994.

Free Speech Coalition Asks Court to Block Montana AV Law

The Free Speech Coalition (FSC) has asked the US District Court of Montana to block the state's new age verification law.

Segpay Launches Virtual 'Segcard' Creator Payout Solution

Segpay has updated its Segcard creator payout option by offering a new, virtual version.

Leading Conservative Think Tank Slams 5th Circuit for Upholding Texas Age Verification Law

Leading conservative think tank the American Enterprise Institute has published an opinion piece penned by one of its senior fellows criticizing the 5th Circuit endorsement of Texas’ controversial age verification law.

OpenAI Shuts Down AI-Generated Porn Rumors

A spokesperson for OpenAI, the company behind ChatGPT, has shut down online chatter about how a rumored relaxation of the company’s stance against AI-generated NSFW content may result in a lifting of its porn ban.

Former Trump Staffer, Project 2025 Advisor John McEntee Predicts a Total Porn Ban

John McEntee, senior advisor to the Heritage Foundation’s Project 2025 and a former key figure in the Trump administration, is predicting an eventual full ban on pornography, claiming that once it is enacted, “this country will flourish.”

Vendo Launches 'Pay by Bank' Service

Vendo has launched its new Pay by Bank checkout system.

Show More