Thursday, November 12, 2009

Adobe Flash potentially puts most computers and users at risk

According to researchers there is a flaw within Flash that allows hackers to launch silent attacks on websites and users. Adobe hasn't tried to hide the fact that it is true and has suggested that its up to site designers to make sure they design their sites in such a way to prevent the attacks.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

The problem lies in the Flash ActionScript same-origin policy which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site -- through its user-generated content capabilities, which typically allow people to upload files to the site or service -- they can execute malicious scripts in the context of that domain.

"This is a frighteningly bad thing," Bailey said. "How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."

The problem is that Adobe and security companies are trying to get the word out, but web application designers and programmers aren't listening. A few of the major sites that have actually locked down their servers to protect their users include Microsoft's Windows Live Hotmail and Google's YouTube, but sites like Google's Gmail and even some Adobe sites, still remain vulnerable. The researchers say the likelihood of an attack on Gmail is still very small, its also a very real possibility.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla's Firefox, or ToggleFlash for Microsoft's Internet Explorer.

"The best mitigation is to not use Flash," argued Murray, "but we know that that's impossible for most users, since Flash is so widely used on the Web."

"Almost everyone using the Internet is vulnerable to a Web site that allows content to be updated inappropriately," said Murray. "That's not hyperbole, it's just fact. This has the potential to affect any social media site, any career site, any dating site, many retail sites and many cloud applications. That's why this attack is so serious. End users would never know they got exploited."

The best suggestion would be to get the news out about the vulnerability and hope that Adobe gets a patch to fix the problem before the slight flaw turns into a major headache for everyone.

No comments: