Programming Errors Exacerbate Flash Flaws

Adobe Flash is one of the most popular applications used by hackers to infect individual machines with all types of malware. eSecurity Planet takes a closer look at why one security researcher is concerned the application will also be used to attack Web sites and Web browsers in the future.

Adobe’s Flash technology has been the target of security researchers for several years, though often it’s the Flash Player that gets the bulk of the attention. Mike Bailey, a senior security analyst with Foreground Security, is now turning the focus to how common programming bugs can enable Flash objects to attack Web sites.

Bailey is discussing his research in a talk titled, “Neat, New, and Ridiculous Flash Hacks” at the Black Hat D.C. security conference ongoing this week. His talk follows a fix already made by Twitter earlier this month to protect against one of the attack vectors he’s talking about.

Bailey told InternetNews.com that his research is focused on how Flash can be leveraged against a Web site, a user, or a Web browser.

“This is different from the other Flash research that has already been done to attack the Flash Player and use it to comprise a user’s computer,” Bailey said. “Very little research has been done on how the Flash Player and application interacts with Web sites and the Web browser.”

Most of the attacks that Bailey describes are similar to Cross-Site Scripting (XSS) in that they will enable an attacker to hijack browsers, Web sites and steal session cookies. He added that in his view, prior research has been looking for buffer overflows in a JavaScript parser but completely ignoring XSS as an attack vector.

eSecurity Planet

Read the full story at eSecurity Planet:


Flash Is at Risk But It’s Not All Adobe’s Fault