Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flash Vulnerability Found, Adobe Says No Fix Forthcoming

Posted by timothy on from the more-from-the-slums-of-the-internet dept.

An anonymous reader writes "Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be."

2 of 355 comments (clear)

  1. Re:Client or server? by TheRaven64 · · Score: 4, Interesting

    From what I understood skimming TFA, it's a cross-site scripting vulnerability, meaning the client's account on the server is vulnerable. I upload EvilFlash.swf to some site that allows downloads. Then I send you a link to this file. Your browser opens the .swf and runs it with the plugin. Unfortunately for you, the plug in runs it in the hosting site's domain, so it can access anything that you can access on the download site. If the site is something like PutYourFaceInTheBook.com then it will be able to access everything in your account and even modify everything there. It could then send links to everyone else on your friends list and if they click on them then the same thing happens.

    The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).

    --
    I am TheRaven on Soylent News
  2. Re:What the... by Tacvek · · Score: 4, Interesting

    He said don't allow uploads to trusted domains. If you want users to upload, they should be uploading to a separate domain. For example my-social-networking-site.com should host uploaded files at MSNS-files.com, or something like that. Being able to execute scripts in the context of MSNS-files.com would be worthless, while executing in the context of my-social-networking-site.com is very valuable.

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524