Adobe Flash

Flash flaw puts most sites, users at risk, say researchers

ComputerWorld reports that Adobe Flash may be used by programmers to easily upload malicious code to Internet sites.

By allowing users to upload Flash objects like flv movies or avatars. Once the malicious flash object is in the trusted domain, it can then infect other objects on the site. The site kernel can be at risk.

¨The magnitude of this is huge,” said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. “Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this.”ComputerWorld

Adobe says it knows about the problem but maintains that it is a user design issue not a program issue.

One of the suggested solutions is to keep all uploads on another website, protected from the trusted domain. Most sites do not follow this although some like YouTube and Hotmail do separate the upload content from their trusted domains.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla’s Firefox, or ToggleFlash for Microsoft’s Internet Explorer. ComputerWorld

“The best mitigation is to not use Flash,” argued Murray, “but we know that that’s impossible for most users, since Flash is so widely used on the Web.” ComputerWorld

Another solution is to use 64 bit IE 8. That solution will only work until Adobe ports Flash to 64 bit. Today 64 bit is not practical for everyone. Most users are still running 32 bit XP, Vista and now Windows 7.