Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands websites susceptible to attacks that steal the personal details of visitors.

The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across the web. Also known as SWF files, they are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS. Currently there are no patches for the vulnerabilities, which are found in sites operated by financial institutions, government agencies and other organizations.

Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

“There are definitely lots of people who are vulnerable,” Stamos said. “Tens of thousands is very conservative. Realistically, it’s probably in the hundreds (of thousands).”

http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/

Firefox and NoScript would be a start as NoScript has XSS protection also built in.

As the sites affected will be trusted sites (banks etc.), will the XSS protection still apply if the user has allowed scripts?

Further on that note , could the bank or anyone for that matter be sued for compensation if they allowed content to run that was malicious.

How does someone plant a malicious link on an official bank website

As I read it, the malicious link will not be on the bank website. (Probably in a spam email?)

The phising page visited will display the Flash marketing graphics from the bank but with malicious code injected which is able to steal user information from the bank site.

As far as I can see. there’s no danger from visiting the page with the vulnerable Flash content itself, but I stand to be corrected.

Thanks FreewheelinFrank, that makes a lot more sense to me.

Not really on point but is it me or am I updating

Flash,Shockwave, Java, firefox, IE, Opera, Real, Quicktime etc almost daily for vulnerabilities? This is getting old…

yeah it gets old, but you have to keep your software up-to-date to be secure

Well thanks for that little bit of wisdom. Personally i was just updating for the fun of it, until you told me the REAL reason why i was doing it.

Subtle as a brick,as usual, Lusher.

I don’t know exactly, the way I see it (and I could be wrong) even if you have allowed scripts for a trusted site the XSS continues to function. But that would really have to be confirmed by NoScript.

This is probably more to the point of security, practising safe hex, don’t go clicking links to sites in unsolicited emails. I would like to hope most people are now aware that banks don’t send out emails asking for you to update your security details, etc. etc. I get lots of emails purporting to be from my bank when one I don’t have an account (in America, etc.) with them and nor do they have my email.

But in any case even if it were a legit email from your bank, it is still unsolicited, you weren’t expecting it and should be treated with caution. If I want to connect to my bank on-line, I either type in the URL myself or use a bookmark, never the link in an email. I also check the underlying URL not just the one that is displayed. I also filter my email with MailWasher before it gets to my inbox and this is where virtually all phishing emails die along with my spam.

So Yes there will be a new exploit along any time now so yes we need to keep software up to date but at the same time not to forget common sense and safe hex.

Back on topic. Seems to me that the lesson here is to seperate your activities between “normal” browsing and sensitive browsing.

Things you could do before visiting e-commercial sites

1. Clear your browser cache,turn off caching of flash, clear java cache etc, restart your browser then visit online bank site only

2. Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

3. Use different wnindows user profiles for online banking

4. Use known “safe states” when online banking (retunril, deep freeze, etc etc)

5. Use vm. Eg browse normally using vm, and use normal machine for online banking

In roughly increasing order of separation…

Or,alternatively,get a life ;D

I’m not the one who started this thread…

2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

Hi bob3160,

Yes all these vulnerabilities, and with that Flash one this is the second serious flaw within some weeks, and it is far from being patched, means that there is something fundamentally wrong with the protocols we are using. This thing needs a complete overhaul. You and I know the way Internet was set up was never meant to escape the Academic world as it did. When it escaped this “bottle” all these things were meant to happen. Now it is just a matter of being patient and wait to a point where the situation has run out of hand that big time to a point of no return and the need is commonly felt to bring Inernet2 in. That will mean strict authorization and making sure the abuse of to-day is not possible any longer. I predict it will come that way, how or via a two lane system, I do not know, but it is just around the corner,

polonus

You can of course reverse it. The idea here is to seperate the two types of sessions.

But here I’m following the advise of “Joanna Rutkowska” , she of “blue pill” fame.

Here’s what she wrote

“So, for example, I use IE to do all my sensitive browsing (e.g. online banking, blogger access, etc), while Firefox to do all the casual browsing, which includes morning press reading, google searching, etc. The reason I use Firefox for non-sensitive browsing doesn’t come from the fact that I think it’s more secure (or better written) then IE, but because I like using NoScript and there is no similar plugin for IE…”

http://theinvisiblethings.blogspot.com/

Of course she doesn’t believe Firefox is more secure, but it kinda of makes sense, even if you think firefox is more secure, you are going to spend most of your time doing casual surfing , going into god knows what sites , so perhaps it makes more sense to browse using the more secure browser? IE might be less secure, but if you are using it only to visit known safe sites, it doesn’t matter if it is less secure, since you will not expose it to dangerous sites anyway.

As for the statement that firefox is more secure, see this.

Okay no doubt the firefox fanboys are going to kill me for this, but that me state for the record I’m not quite certain if firefox is more secure or not.(It feels more secure for me)… I’m just reporting facts. Okay?

And as always, according to you guys I’m just disagreeing for the sake of disagreeing, I have no real arguments etc etc

As for the statement that firefox is more secure, see this.

You’re linking to Jeff Jones’ much ridiculed ( ::)) analysis.

http://blogs.zdnet.com/security/?p=703

Some objections to the analysis are: it’s written by an MS employee, it compares a company which openly discloses all vulnerabilities to one which does not, and it totally ignores issues of in-the-wild exploits remaining unpatched for weeks in IE6.

Even George Ou limited himself to comparing IE7 and Firefox to avoid the ridicule of implying IE6 was more secure:

http://blogs.zdnet.com/Ou/?p=915&page=2

Yes, i noticed that, but that’s an ad hominem argument, you should lead with a stronger argument.

it compares a company which openly discloses all vulnerabilities to one which does not,

Firefox openly discloses all vulnerabilities? Only after they are patched.

and it totally ignores issues of in-the-wild exploits remaining unpatched for weeks in IE6.

This is the biggie. I agree. For the average user, all this counting of vulnerabilities is not very important compared to what is actually targeted and response time (but is it me or did some AV company release some stats that show the opposite). IE could have only one vulnerability, and firefox a dozen, and it wouldn’t matter as much to average users if the former is the one being targeted on a wide scale. And like it or not, Internet explorer is still the one that is being targeted because of it’s dominance.

But I think he has a point in that the claim that firefox is inherently more secure than IE because it isn’t integrated with windows doesn’t hold up. Firefox might be faster in patching, it might be less targeted , but it doesn’t seem to be any less bug free than IE.

Disclosure, I use firefox and opera mostly.