By Dan Goodin in San Francisco
22nd December 2009
A security researcher has identified more than 8 million Adobe Flash
files that make the websites hosting them vulnerable to attacks that
target visitors with malicious code.
The Flash files are contained on a wide variety of sites operated by
online casinos, news organizations, banks, and professional sports
teams. They make the pages where they reside susceptible to XSS, or
cross-site scripting, attacks that have the potential to inject
malicious code and content into a visitor's browser and in some cases
steal credentials used to authenticate user accounts.
The researcher, who goes by the moniker MustLive, said the Flash files
contain poorly written ActionScript used to count the number of times a
banner has been clicked and typically contain the clickTAG or url
parameters. Google searches here and here identified a total more than
8.3 million of them on sites hosted by the New York Giants football
team, Praguepost.com and ParadaisPoker.com. Because Google results are
often abbreviated, the actual number is probably higher.
MustLive said websites that host the buggy content aren't automatically
vulnerable to XSS exploits. Indeed, even though the pages on the
official Citibank website included such content, XSS attacks that tried
to exploit them failed.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News