Google: Web sites slow to fix serious Flash flaws

Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.

Google security engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.

Cannings estimates that more than 10,000 Web sites are still affected by the issue.

Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.

The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.

Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical IP addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest security conference and in a follow-up interview.

But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.

With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.

But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.'"

Hackers are not exploiting cross-site scripting bugs in a widespread way right now. In fact, Cannings believes that these flaws have been overhyped in recent months. For Web sites like Google that contain sensitive customer information, they are a very serious problem, but they are not as critical as, say, remote-code execution flaws that would allow unauthorized software to run on a victim's PC, he said.

Still, if the Flash issue is ever going to be addressed in a widespread fashion, it's unlikely that anyone other than Adobe could really solve it, Cannings said. Although it would be a massive technical challenge, changes could be made to Adobe Flash Player software that would make these cross-site scripting attacks impossible, Cannings said.

"I think Adobe should step up and fix it," he said.