Vulnerable Flash files, which facilitate cross-site scripting attacks, still affect hundreds of thousands of websites today. Adobe's own Web page has been recently found vulnerable, even though this flaw was discovered and reported back in December 2007.
Dimitris Pagkalos, co-founder of the XSSed project, warns that a bug in certain SWF files still puts websites at risk after more than a year from its discovery. The vulnerable Flash files "can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases, cookie hijacking is possible. Unsuspecting users can be redirected from trustworthy SSL and non-SSL sites to malware, adware and spyware sites," he writes.
It all started back in December 2007, when security researchers warned of a potentially dangerous misuse of the clickTAG parameter, which is used to pass click-through URLs to SWF files generally employed to display advertisements. Experts explained at the time that, possibly, millions of such vulnerable files that failed to properly validate the URL before executing the getURL(clickTAG) function would have to be re-created.
Researchers remained skeptical that such a massive-scale patching effort would ever occur and they were right, as even Adobe failed short of checking all of the Flash files on its website. A user going by the online handle of Hexspirit has just recently documented two proof-of-concept XSS attacks on Adobe.com, which leverage such a vulnerable file.
Additionally, Hexspirit has identified the same problem in the websites of the Greek Marfin Egnatia Bank and online electronics retailer Plaisio.gr. In all of the three cases, buggy flash advertising banners allow attackers to steal session cookies (files used to authenticate users) or redirect visitors to malicious URLs.
A special search query in Google revealed around 150,000 pages hosting SWF files potentially vulnerable to such attacks, but Dimitris Pagkalos maintains that, "In fact, there are hundreds of thousand more," which are not indexed by the search engine.
Adobe says that webmasters should make sure that clickTAG begins with http: before executing getURL(clickTAG) by adding an if (clickTAG.substr(0,5) == "http:") condition, however, "In order to avoid redirects to third-party sites hosting malicious scripts, it is better to ensure that it begins with http(s)://www.yourdomain.com," Pagkalos notes.