|Web Developers, Fix your Insecure Flash|
| 1:52 pm on Mar 30, 2008 (gmt 0)|
|Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears (...) Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. |
The researchers from Google found that, despite the fact that the vulnerabilites were published in December 2007, none of the websites checked had updated their Flash files created with the vulnerable software.
|Adobe plans to release a new version of its Flash Player in early April that will prevent attackers from exploiting the issues and, likely, break much of the Flash content on Web sites that are unprepared for the changeover. The makers of major authoring tools have also closed the security holes in the Flash files created by their tools. |
The details of the research can be found here:
XSS Vulnerabilities in Common Shockwave Flash Files [docs.google.com]
Adobe's advice for republishing your SWF files can be found here:
Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities [adobe.com]
Is your Flash making your site vulnerable?
| 5:04 pm on Mar 30, 2008 (gmt 0)|
Google Code offers a download of SWF Intruder, an application for testing the security of Flash files:
I've got a whole pile of insecure Flash generated with older versions of Camtasia - what a PITA. Thanks for bringing up this issue, encyclo!
| 10:18 pm on Mar 30, 2008 (gmt 0)|
Please note that the list of authoring tools does not include Flash. From the Google Docs document:
|Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS). |
This problem is not limited to authoring tools. [beep], a popular service provider, used a vulnerable controller SWF in many of their projects.
It seems that if you used Flash to create your .swf files, you're safe.
| 8:32 pm on Mar 31, 2008 (gmt 0)|
Yes, thanks guys. SWF Intruder = very useful.