xbiz world
xbiz premiere

Flash Bug Prompts Calls for Code Rewriting

LOS ANGELES – According to Google, hundreds of thousands of vulnerable Flash files are currently on the Internet, including files found at a large number of major websites.

The danger stems from a Cross-Site Scripting (XSS) exploit of Shockwave Flash (SWF) files generated by most of the programs that create Flash applets that allows attackers to access data on targeted websites; such as usernames and passwords, or even performing unauthorized online banking transactions.

The problem may be particularly acute for adult website operators, who have increasingly made use of Flash technology in advertisements and video files and often rely on Adobe's popular DreamWeaver software for website development – one of the tools that generate the vulnerable files.

"If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application," Google's Rich Cannings wrote. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack)."

While security experts have warned of additional vulnerabilities, the XSS exploit was made public after companies such as Adobe updated their software to eliminate the bug.

Now, experts are recommending that all existing Flash files be removed from websites until they can be regenerated with the newest versions of these tools to address the issue.

Cannings also recommends that SWF files be served from numbered IP addresses or from separate domains from the site that features the Flash files.

"If there's an issue on a bank, the impact of an XSS is pretty large," Cannings said. "In other words, it's a huge amount of work, but well worth it for trusted sites that want to remain that way."

Expanding on the causes of the vulnerability, Cannings reported that DreamWeaver's "skinName" parameter can be used to load URLs containing the "asfunction" handler; while Adobe Acrobat Connect makes files that do not validate the "baseurl" parameter, which can allow malicious scripts to be injected into targeted websites.

The complete report can be read here.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Heritage Foundation President Calls Trump God's 'Imperfect Instrument' to Achieve Porn Ban

The president of the Heritage Foundation, the conservative group behind Project 2025, told CNN that Donald Trump’s notorious interactions with porn stars do not disqualify the presumptive Republican nominee from implementing their plan to criminalize all the production and distribution of adult content.

California Republicans, Democrats Send Controversial Age Verification Bill to Senate

The California version of the age verification bills being sponsored around the country by anti-porn activists unanimously passed a bipartisan floor vote at the state Assembly on Thursday and is now being considered by the state Senate.

UK Regulator Ofcom Rejects OnlyFans' Complaint About Unfair Treatment by the BBC

U.K. communications regulator Ofcom has rejected a formal complaint from OnlyFans, which alleged unfair treatment during a 2022 BBC report about its moderation practices.

Child Protection, Civil Liberties Groups File Amicus Briefs in Support of FSC Court Petition

Several child protection and civil liberties groups have filed amicus briefs in support of the Free Speech Coalition's (FSC) petition to the Supreme Court.

Woodhull Urges the Supreme Court to Find Texas AV Law Unconstitutional

The Woodhull Freedom Foundation and the Electronic Frontier Foundation submitted a brief to the United States Supreme Court on Thursday, urging the justices to rule against Texas’ age verification law.

AEBN Publishes Popular Searches for March and April

AEBN has released the top search terms for the months of  March and April from its straight and gay theaters in all 50 states and the District of Columbia.

2024 XBIZ Creator Awards Winners Announced

Winners of the 2024 XBIZ Creator Awards were revealed Wednesday evening during a live ceremony at E11EVEN Nightclub in Miami, Florida. The event, presented by Fansly, was hosted by Siri Dahl and Little Puck.

'90s Japanese Performer Sues to Remove Titles from Streaming Site

Former Japanese performer Miyuki Ariga is suing adult streaming site Fanza to remove four titles in which she appeared in 1994.

Free Speech Coalition Asks Court to Block Montana AV Law

The Free Speech Coalition (FSC) has asked the US District Court of Montana to block the state's new age verification law.

Segpay Launches Virtual 'Segcard' Creator Payout Solution

Segpay has updated its Segcard creator payout option by offering a new, virtual version.

Show More