- Joined
- Mar 5, 2002
- Messages
- 25,751
- Reaction score
- 1,210
Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).
This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.
Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.
https://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw
The Fix
All of the measures below should be taken:
Users
Update to the latest version of Flash as soon as possible, available here (Flash does, apparently, have an auto update mechanism but I have NEVER been prompted to update, so don't assume you have the latest version). This will protect users from attacks using the "asfunction" protocol handler
Website Owners
All vulnerabilities reported above have been fixed, so please:
This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.
Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.
https://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw
The Fix
All of the measures below should be taken:
Users
Update to the latest version of Flash as soon as possible, available here (Flash does, apparently, have an auto update mechanism but I have NEVER been prompted to update, so don't assume you have the latest version). This will protect users from attacks using the "asfunction" protocol handler
Website Owners
All vulnerabilities reported above have been fixed, so please:
- Remove vulnerable SWFs from your website
- Follow the manufacturers’ advice on republishing your SWFs
- Adobe - See http://www.adobe.com/support/security/bulletins/apsb07-20.html
- Autodemo - Contact your producer or email (e-mail address removed)
- Techsmith - Camtasia Studio users can upgrade to Camtasia Studio version 5 to obtain a version which creates SWF files that do not have this vulnerability (visit www.techsmith.com). Users who are concerned about this vulnerability can regenerate their SWF content with Camtasia Studio version 5.
- Infosoft - Contact support http://www.fusioncharts.com/Contact.asp
- It is likely that other authoring tools that automatically generate SWFs can be used for XSS attacks. We highly recommend that website owners serve automatically generated SWFs from numbered IP addresses or from "safe" domains (i.e. domains that contain no sensitive cookies or domains that cannot be used for phishing)
- Depending on the impact of XSS on a given website, website owners may want to even consider moving or removing all third-party generated SWFs