- 10 ways the Chinese Internet is different
- Hacker writes rootkit for Cisco's routers
- Verizon snares $678 million federal network deal
- Cisco loses $2 million order to Nortel
- HP buys EDS for $13.9 billion
Hacker writes Cisco rootkit; Microsoft launches online telescope. Listen now!
Wireless dangers at airports. Listen now!
Virtualization technology allows companies to respond quickly to ever-changing storage capacity requirements. Learn about how HP defines virtualization technology and how it applies to the HP 's newest Enterprise Virtual Array (EVA) storage system in this new white paper.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
IT professionals like the idea of consolidating hundreds of servers into only a few, but it takes a lot more to cost effectively consolidate and virtualize servers. Watch this six-chapter webcast, "Reduce Complexity and Cost - Windows Server Consolidation with Virtualization" to learn how to effectively consolidate your Windows environment. One of the themes explored includes the characteristics of an orchestrated data center, which includes: Resource management, dynamic provisioning, job management, policy management, accounting and auditing and real-time availability. Learn more about orchestration and much more today. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
I'm an American, and my government-funded schools taught me that government censorship is bad! It's...- Ben
Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.
Google Security Engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.
Cannings estimates that more than 10,000 Web sites are still affected by the issue.
Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.
The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.
Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical IP addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest Applied Security conference and in a follow-up interview.
But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.
With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.
But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.' "
Hackers are not exploiting cross-site scripting bugs in a widespread way right now. In fact, Cannings believes that these flaws have been over-hyped in recent months. For Web sites like Google that contain sensitive customer information, they are a very serious problem, but they are not as critical as, say, remote-code execution flaws that would allow unauthorized software to run on a victim's PC, he said.
Still, if the Flash issue is ever going to be addressed in a widespread fashion, it's unlikely that anyone other than Adobe could really solve it, Cannings said. Although it would be a massive technical challenge, changes could be made to Adobe Flash Player software that would make these cross-site scripting attacks impossible, Cannings said.
"I think Adobe should step up and fix it," he said.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
