xbiz world
xbiz premiere

Flash Bug Prompts Calls for Code Rewriting

LOS ANGELES – According to Google, hundreds of thousands of vulnerable Flash files are currently on the Internet, including files found at a large number of major websites.

The danger stems from a Cross-Site Scripting (XSS) exploit of Shockwave Flash (SWF) files generated by most of the programs that create Flash applets that allows attackers to access data on targeted websites; such as usernames and passwords, or even performing unauthorized online banking transactions.

The problem may be particularly acute for adult website operators, who have increasingly made use of Flash technology in advertisements and video files and often rely on Adobe's popular DreamWeaver software for website development – one of the tools that generate the vulnerable files.

"If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application," Google's Rich Cannings wrote. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack)."

While security experts have warned of additional vulnerabilities, the XSS exploit was made public after companies such as Adobe updated their software to eliminate the bug.

Now, experts are recommending that all existing Flash files be removed from websites until they can be regenerated with the newest versions of these tools to address the issue.

Cannings also recommends that SWF files be served from numbered IP addresses or from separate domains from the site that features the Flash files.

"If there's an issue on a bank, the impact of an XSS is pretty large," Cannings said. "In other words, it's a huge amount of work, but well worth it for trusted sites that want to remain that way."

Expanding on the causes of the vulnerability, Cannings reported that DreamWeaver's "skinName" parameter can be used to load URLs containing the "asfunction" handler; while Adobe Acrobat Connect makes files that do not validate the "baseurl" parameter, which can allow malicious scripts to be injected into targeted websites.

The complete report can be read here.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Trump Attempts to Distance Campaign From Porn-Criminalizing 'Project 2025'

Presumptive Republican presidential nominee Donald Trump issued a post on his social media platform Truth Social on Friday attempting to distance himself from the conservative initiative Project 2025, which prominently includes a call to criminalize the production and distribution of pornography.

YouPay Releases Results of 2024 Spring Creator Survey

Gifting platform YouPay has released the results of its 2024 Spring Creator Survey, highlighting the key activities and needs of creators who use gifting as an engagement approach with their fans.

Aylo Willing to Work With Australia's Online Censor on Device-Based AV Solutions

The office of Australia’s top online censor, unelected eSafety Commissioner Julie Inman Grant, has released a new roadmap for implementing age verification in accordance with the country’s Online Safety Act.

Spain's Technology Minister Unveils Soon-to-be-Mandatory Age Verification App

Spain’s anti-sex-work and anti-porn Socialist Party (PSOE) government, led by Prime Minister Pedro Sánchez, has unveiled a new age verification app that will become mandatory for accessing adult content in the country starting in September.

FSC Drops Opposition to California Age Verification Bill After Amendments

Free Speech Coalition (FSC) has dropped its formal opposition to California’s age verification bill AB 3080, after an amendment secured through months of discussions with the bill’s author was heard by the Senate Judiciary Committee.

SCOTUS Agrees to Hear Texas Age Verification Challenge

The United States Supreme Court granted on Tuesday the petition for a writ of certiorari in the Free Speech Coalition-led challenge to Texas’ age verification law, agreeing to hear the case in the next term.

Dorcel Group Acquires LifeSelector

Dorcel Group has acquired interactive content company LifeSelector.

Etsy Updates Policy to Ban Sale of Most Adult Pleasure Products, Content

Etsy will ban sales of most pleasure products and content that depicts sex acts and genitalia starting July 29.

Jamie Page Is LoyalFans' 'Featured Creator' for July

LoyalFans has named Jamie Page as its Featured Creator for July.

Byborg's Le Shaw Research Institute Teams Up With SWOP Behind Bars

LiveJasmin parent company Byborg Enterprises’ Le Shaw International Sexual Health and Wellness Research Institute has joined forces with U.S.-based sex worker advocacy group SWOP Behind Bars.

Show More