Estimated 10,000 websites still contain buggy Flash Player files

By Janine de Blois

Google Security Engineer Rich Cannings discovered the widespread vulnerability in websites that are using buggy Shockwave Flash (.swf). An estimated 10,000 sites with hundreds of thousands or web pages still affected after the patch was released by Adobe two months ago. The bug could allow plishing attacks, or worse it could provide nearly undetectable access to nearly any web service including the bank account of a victim.

Canning’s first discovered the flaw on Googles web site, where engineers did not even try to fix the flawed files because, “it’s such a pain” to fix them. Instead Google moved all Flash animation to Web servers that used numerical Internet Protocol addresses rather than the Google.com domain. This makes the cross-scripting attack impossible. For many companies this kind of fix is not an option and they are facing an expensive rewrite of their Flash files. “With Web site management also frequently outsourced, it’s just not practical for many companies to fix the issue the same way as Google,” said Dan Hubbard, vice president of security research with Websense.

Banks and websites  that contain sensitive customer information appear to be cleaning up the problem files, but Cannings believes Adobe is the only one who can really solve the widespread problem. Changes could be made to the Adobe Flash Player software that would make these cross-scripting attacks impossible. “I think Adobe should step up and fix it.”

Adobe spokesman Matt Rozen said this fix is being developed and will be available “soon.” Security experts say Adobe’s challenge now is to fix this bug while still enabling user’s to view older Flash files.