The Inquirer-Home
Hardware

Another bad Flash flaw is revealed

It never gets better
By Ed Berridge
Fri Nov 13 2009, 11:36

ADOBE has been having a few problems with its Flash player lately and now Foreground Security has found something else for it to be worried about.

Senior Researcher Mike Bailey has found a way to attack the way that browsers handle Adobe Flash objects.

This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked.

Almost everyone using the Internet is vulnerable to a website that allows content to be updated inappropriately, he said.

Bailey added that the Flash only allowed a script to access content from the same domain as the origin HTML page that executes it. As a policy this is all fine and dandy.  It means that everything looks the same when you switch from Javascript to Actionscript.  Developers tend to treat Flash as the same as Actionscript and this is what causes the problem.

But the important difference between Flash and Actionscript is that flash objects are not web pages and do not need to be injected into a web page to execute. Loading the content is enough.

This means that if a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server, Bailey said. µ

 

Share this:

< Previous article| Next article >
Comments
@Ban Flash

"We do not need the resource hogging crap on the web." Is that the Royal "We"? Some of us would like the choice of whether we have the resource hogging crap on the bits of the web we visit.

posted by : EMComments, 17 November 2009 Complain about this comment
Ban Flash

Flash is nothing but a bloated advertisement platform. We do not need the resource hogging crap on the web.

posted by : Regulas, 14 November 2009 Complain about this comment
Well Thank God

for Firefox and NoScript, which blocks flash as well !

posted by : Pascal Monett, 13 November 2009 Complain about this comment
??

"if a hacker can get a Flash object onto your server"

doesn't that mean your server is hacked already? Of if your server allows users to upload content like this, they shouldn't have an open run anything policy file?

Just wondering if this is a actually a flash security hole or if it is bad site management?

Maybe both?

Part of the issue is that flash for media is great, but I have no choices to say that's all I want to use it for.

posted by : ANdrew, 13 November 2009 Complain about this comment
It would seeem to me...

"This means that if a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server, Bailey said"

It would seeem to me that if they can get files into your server you've got bigger problems on your hand than just simple script execution...

posted by : ThePooBurner, 13 November 2009 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Facebook starts selling shares

Will you buy Facebook shares?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: