Details of security holes in Flash applets
It is reported that the tools involved include Adobe Dreamweaver, Adobe Acrobat Connect, formerly Macromedia Breeze, InfoSoft FusionCharts and Techsmith Camtasia. The SWF files generated by these tools are said to be on a great many Web sites. At a guess, several hundred thousand Flash applets could have this problem, a not insignificant percentage of them being large and popular – among them government and online banking Web sites.
The problem is not limited to the tools listed, however: according to the report, these are only the products in which the error has already been corrected by their manufacturers with an update. Also said to be affected are service providers, such as Autodemo, that develop Flash applications for clients and are obviously using a vulnerable tool for the purpose.
An error in InfoSoft's FusionCharts even enabled further SWF files to be loaded from other domains over the following link.
The updated version of Adobe Flash Player that appeared in December prevents attackers being able to exploit the error via the asfunction protocol handler - at least in the case of Adobe products. The author of the vulnerability report recommends Webmasters to remove the vulnerable Flash applets from their sites and recreate them from scratch with corrected versions of their authoring tools. The user-defined variables passed to ActionScript with all URL functions should moreover be given a more detailed check. Developers can also test the security of their Flash applications with the tool SWFIntruder .
- XSS Vulnerabilities in Common Shockwave Flash Files, report by Rich Cannings
- Cross-Site Scripting: Data theft on the rebound, background article at heise Security
- Password stealing for dummies, background article at heise Security