Foreground Security identified a vulnerability in the way that browsers deal with Adobe Flash files, which can be used to compromise sites that allow users to submit content.
The flaw is related to the rules of operation of Flash ActionScript, which is programmed to allow access of a Flash object to other content only from the domain that originated it, explains Mike Bailey, from Foreground, cited by Computerworld.
If someone uploads a malicious Flash object to a website, they can execute malicious scripts in the context of that domain. «It’s relatively simple,» he says. «You just need to create a malicious Flash object and upload it to the web server».
For its part, Adobe has already stated that the vulnerability is not fixable with a patch and that has tried to raise awareness among programmers and website designers about the subject. «For us, this is a generic problem that affects any site that allows script active, not just from Flash, but from technologies like JavaScript and Silverlight, «says Brad Arkin of Adobe.
The official argues that, even if there was a magic fix for Flash, the problem would still exist for all sites with active content that allow users to upload files.
In view of Foregound’s findings, users are advised to protect themselves against possible attacks by disabling Flash on their computers. browsers or using plug-ins such as NoScript AddOn from Firefox or ToogleFlash from Internet Explorer whenever possible.
