Author Topic: Serious Flash vulns menace tens of thousands websites  (Read 9872 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Serious Flash vulns menace tens of thousands websites
« on: December 22, 2007, 01:13:11 AM »
Quote
Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands websites susceptible to attacks that steal the personal details of visitors.

The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across the web. Also known as SWF files, they are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS. Currently there are no patches for the vulnerabilities, which are found in sites operated by financial institutions, government agencies and other organizations.

Quote
Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

"There are definitely lots of people who are vulnerable," Stamos said. "Tens of thousands is very conservative. Realistically, it's probably in the hundreds (of thousands)."

http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89215
  • No support PMs thanks
Re: Serious Flash vulns menace tens of thousands websites
« Reply #1 on: December 22, 2007, 01:21:46 AM »
Firefox and NoScript would be a start as NoScript has XSS protection also built in.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Serious Flash vulns menace tens of thousands websites
« Reply #2 on: December 22, 2007, 08:51:21 AM »
As the sites affected will be trusted sites (banks etc.), will the XSS protection still apply if the user has allowed scripts?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

galooma

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #3 on: December 22, 2007, 09:42:52 AM »
Further on that note , could the bank or anyone for that matter be sued for compensation if they allowed content to run that was malicious.

micky77

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #4 on: December 22, 2007, 11:46:53 AM »
How does someone plant a malicious link on an official bank website

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Serious Flash vulns menace tens of thousands websites
« Reply #5 on: December 22, 2007, 12:55:04 PM »
As I read it, the malicious link will not be on the bank website. (Probably in a spam email?)

The phising page visited will display the Flash marketing graphics from the bank but with malicious code injected which is able to steal user information from the bank site.

As far as I can see. there's no danger from visiting the page with the vulnerable Flash content itself, but I stand to be corrected.

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

micky77

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #6 on: December 22, 2007, 01:16:56 PM »
As I read it, the malicious link will not be on the bank website. (Probably in a spam email?)

The phising page visited will display the Flash marketing graphics from the bank but with malicious code injected which is able to steal user information from the bank site.

As far as I can see. there's no danger from visiting the page with the vulnerable Flash content itself, but I stand to be corrected.


Thanks FreewheelinFrank, that makes a lot more sense to me.

Lusher

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #7 on: December 22, 2007, 01:19:00 PM »
Not really on point but is it me or am I updating

Flash,Shockwave, Java, firefox, IE, Opera, Real, Quicktime etc almost daily for vulnerabilities? This is getting old...

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Serious Flash vulns menace tens of thousands websites
« Reply #8 on: December 22, 2007, 01:21:17 PM »
Not really on point but is it me or am I updating

Flash,Shockwave, Java, firefox, IE, Opera, Real, Quicktime etc almost daily for vulnerabilities? This is getting old...
yeah it gets old, but you have to keep your software up-to-date to be secure
"People who are really serious about software should make their own hardware." - Alan Kay

Lusher

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #9 on: December 22, 2007, 01:32:43 PM »
Not really on point but is it me or am I updating

Flash,Shockwave, Java, firefox, IE, Opera, Real, Quicktime etc almost daily for vulnerabilities? This is getting old...
yeah it gets old, but you have to keep your software up-to-date to be secure

Well thanks for that little bit of wisdom. Personally i was just updating for the fun of it, until you told me the REAL reason why i was doing it.

micky77

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #10 on: December 22, 2007, 02:03:58 PM »





Subtle as a brick,as usual, Lusher.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89215
  • No support PMs thanks
Re: Serious Flash vulns menace tens of thousands websites
« Reply #11 on: December 22, 2007, 02:48:07 PM »
As the sites affected will be trusted sites (banks etc.), will the XSS protection still apply if the user has allowed scripts?

I don't know exactly, the way I see it (and I could be wrong) even if you have allowed scripts for a trusted site the XSS continues to function. But that would really have to be confirmed by NoScript.

As I read it, the malicious link will not be on the bank website. (Probably in a spam email?)

The phishing page visited will display the Flash marketing graphics from the bank but with malicious code injected which is able to steal user information from the bank site.

As far as I can see. there's no danger from visiting the page with the vulnerable Flash content itself, but I stand to be corrected.

This is probably more to the point of security, practising safe hex, don't go clicking links to sites in unsolicited emails. I would like to hope most people are now aware that banks don't send out emails asking for you to update your security details, etc. etc. I get lots of emails purporting to be from my bank when one I don't have an account (in America, etc.) with them and nor do they have my email.

But in any case even if it were a legit email from your bank, it is still unsolicited, you weren't expecting it and should be treated with caution. If I want to connect to my bank on-line, I either type in the URL myself or use a bookmark, never the link in an email. I also check the underlying URL not just the one that is displayed. I also filter my email with MailWasher before it gets to my inbox and this is where virtually all phishing emails die along with my spam.

So Yes there will be a new exploit along any time now so yes we need to keep software up to date but at the same time not to forget common sense and safe hex.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lusher

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #12 on: December 22, 2007, 05:19:16 PM »
Back on topic. Seems to me that the lesson here is to seperate your activities between "normal" browsing and sensitive browsing.

Things you could do before visiting e-commercial sites

1) Clear your browser cache,turn off caching of flash, clear java cache etc, *restart* your browser then visit online bank site *only*

2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

3)  Use different wnindows user profiles for online banking

4) Use known "safe states" when online banking (retunril, deep freeze, etc etc)

5) Use vm. Eg browse normally using vm, and use normal machine for online banking

In roughly increasing order of separation...

micky77

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #13 on: December 22, 2007, 06:44:09 PM »
Back on topic. Seems to me that the lesson here is to seperate your activities between "normal" browsing and sensitive browsing.

Things you could do before visiting e-commercial sites

1) Clear your browser cache,turn off caching of flash, clear java cache etc, *restart* your browser then visit online bank site *only*

2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

3)  Use different wnindows user profiles for online banking

4) Use known "safe states" when online banking (retunril, deep freeze, etc etc)

5) Use vm. Eg browse normally using vm, and use normal machine for online banking

In roughly increasing order of separation...
Or,alternatively,get a life  ;D

Lusher

  • Guest
Re: Serious Flash vulns menace tens of thousands websites
« Reply #14 on: December 22, 2007, 08:44:09 PM »
Back on topic. Seems to me that the lesson here is to seperate your activities between "normal" browsing and sensitive browsing.

Things you could do before visiting e-commercial sites

1) Clear your browser cache,turn off caching of flash, clear java cache etc, *restart* your browser then visit online bank site *only*

2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

3)  Use different wnindows user profiles for online banking

4) Use known "safe states" when online banking (retunril, deep freeze, etc etc)

5) Use vm. Eg browse normally using vm, and use normal machine for online banking

In roughly increasing order of separation...
Or,alternatively,get a life  ;D

I'm not the one who started this thread... :D