Serious web vuln found in 8 million Flash files

Serious web vuln found in 8 million Flash files
Serious web vuln found in 8 million Flash files 

By Dan Goodin in San Francisco
The Register
22nd December 2009 

A security researcher has identified more than 8 million Adobe Flash 
files that make the websites hosting them vulnerable to attacks that 
target visitors with malicious code.

The Flash files are contained on a wide variety of sites operated by 
online casinos, news organizations, banks, and professional sports 
teams. They make the pages where they reside susceptible to XSS, or 
cross-site scripting, attacks that have the potential to inject 
malicious code and content into a visitor's browser and in some cases 
steal credentials used to authenticate user accounts.

The researcher, who goes by the moniker MustLive, said the Flash files 
contain poorly written ActionScript used to count the number of times a 
banner has been clicked and typically contain the clickTAG or url 
parameters. Google searches here and here identified a total more than 
8.3 million of them on sites hosted by the New York Giants football 
team, and Because Google results are 
often abbreviated, the actual number is probably higher.

MustLive said websites that host the buggy content aren't automatically 
vulnerable to XSS exploits. Indeed, even though the pages on the 
official Citibank website included such content, XSS attacks that tried 
to exploit them failed.


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods