Warning - unpatched security loopholes in Flash applets
Security experts from Google are warning of dangerous security loopholes in Flash applets. They say that, as part of a joint investigation with staff of the security firm iSEC, they discovered that more than 500,000 Flash files on public Web sites are wide open to certain cross-site scripting (XSS) attacks. The researchers say that even the latest security update of Adobe's Flash Player gives no protection against the dangers that have been discovered. Among others, they have found Flash files of this kind on government and online banking Web sites.
The group is publishing details in its book "Hacking Exposed Web 2.0", which will come out in the USA in January 2008. According to the British IT news service The Register, this alarming news has already been circulating around company security departments for some time. Adobe is said to have been informed about the results of the research back in summer 2007.
The authors say that security patches for the Flash client cannot provide a solution to the problems: the harmful code is already generated at the time of creation by many popular Flash tools, including DreamWeaver, Breeze and Camtasia. The loophole makes it possible for cookies to be read out, or login data to be spied on, for example, while SWF files are being executed via a manipulated link with certain variables.