With thousands of sites affected, Adobe to patch Flash bug

Adobe is working on an update to its Flash Player software that will address a widespread vulnerability found on hundreds of thousands of Web sites.

The issue, first reported in December by Google researcher Rich Cannings, allows attackers to use buggy Shockwave Flash (.swf) files in order to attack Web surfers. Using what is known as a cross-site scripting attack, criminals could create fake phishing pages or, much worse, gain access to online banking sessions or Web accounts of victims in some situations.

After Cannings went public with his findings, Adobe and other software vendors fixed their development tools so they would no longer create the vulnerable Flash files, but there are still more than 500,000 of these files posted on different sites on the Internet, according to Cannings.

Because of the amount of work it would take to clean up the mess, Cannings had been encouraging Adobe to make changes to its Player software that would nullify these cross-site scripting attacks.

This fix is being developed and will be available "soon," said Adobe spokesman Matt Rozen in an e-mail message.

Security experts say that Adobe's chief problem now is to work out a way of fixing this bug without making it hard for users to view older Flash files.

In an interview on Friday, Cannings said that some of Adobe's early approaches to this problem had "broken" existing Flash files in the player, but that a satisfactory fix was technically possible. If Adobe could convince browser-makers to make some changes as well, it might simplify things, he added.

Three months after he went public with the problem, Cannings estimates that more than 10,000 Web sites remain vulnerable to this attack.

The IDG News Service is a Network World affiliate.