Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.

Google Security Engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.

Cannings estimates that more than 10,000 Web sites are still affected by the issue.

Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.

The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.

Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical IP addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest Applied Security conference and in a follow-up interview.

But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.

With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.

But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.' "

The IDG News Service is a Network World affiliate.

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports