[ISN] Serious web vuln found in 8 million Flash files

From: InfoSec News <alerts_at_private>
Date: Wed, 23 Dec 2009 01:33:04 -0600 (CST)
http://www.theregister.co.uk/2009/12/22/mass_flash_file_vulnerability/

By Dan Goodin in San Francisco
The Register
22nd December 2009 

A security researcher has identified more than 8 million Adobe Flash 
files that make the websites hosting them vulnerable to attacks that 
target visitors with malicious code.

The Flash files are contained on a wide variety of sites operated by 
online casinos, news organizations, banks, and professional sports 
teams. They make the pages where they reside susceptible to XSS, or 
cross-site scripting, attacks that have the potential to inject 
malicious code and content into a visitor's browser and in some cases 
steal credentials used to authenticate user accounts.

The researcher, who goes by the moniker MustLive, said the Flash files 
contain poorly written ActionScript used to count the number of times a 
banner has been clicked and typically contain the clickTAG or url 
parameters. Google searches here and here identified a total more than 
8.3 million of them on sites hosted by the New York Giants football 
team, Praguepost.com and ParadaisPoker.com. Because Google results are 
often abbreviated, the actual number is probably higher.

MustLive said websites that host the buggy content aren't automatically 
vulnerable to XSS exploits. Indeed, even though the pages on the 
official Citibank website included such content, XSS attacks that tried 
to exploit them failed.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Dec 22 2009 - 23:33:04 PST

This archive was generated by hypermail 2.2.0 : Tue Dec 22 2009 - 23:35:57 PST