http://www.theregister.co.uk/2009/12/22/mass_flash_file_vulnerability/ By Dan Goodin in San Francisco The Register 22nd December 2009 A security researcher has identified more than 8 million Adobe Flash files that make the websites hosting them vulnerable to attacks that target visitors with malicious code. The Flash files are contained on a wide variety of sites operated by online casinos, news organizations, banks, and professional sports teams. They make the pages where they reside susceptible to XSS, or cross-site scripting, attacks that have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts. The researcher, who goes by the moniker MustLive, said the Flash files contain poorly written ActionScript used to count the number of times a banner has been clicked and typically contain the clickTAG or url parameters. Google searches here and here identified a total more than 8.3 million of them on sites hosted by the New York Giants football team, Praguepost.com and ParadaisPoker.com. Because Google results are often abbreviated, the actual number is probably higher. MustLive said websites that host the buggy content aren't automatically vulnerable to XSS exploits. Indeed, even though the pages on the official Citibank website included such content, XSS attacks that tried to exploit them failed. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Tue Dec 22 2009 - 23:33:04 PST
This archive was generated by hypermail 2.2.0 : Tue Dec 22 2009 - 23:35:57 PST