Adobe Fixes Flash Authoring XSS Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
News
1/18/2008
04:15 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Adobe Fixes Flash Authoring XSS Vulnerabilities

The security bulletins cover Dreamweaver CS3, Dreamweaver 8, Contribute CS3, Contribute 4, and Connect Enterprise Server.

Adobe has released two security bulletins that address cross-site scripting (XSS) vulnerabilities arising from its media authoring and content serving software.

The security bulletins cover Adobe's Dreamweaver CS3, Dreamweaver 8, Contribute CS3, Contribute 4 and Connect Enterprise Server for Windows and Mac OS.

"Input validation errors have been identified in code generated by Dreamweaver and Contribute which could lead to potential cross-site scripting attacks," Adobe explains in one of its bulletins. "Only customers who have used the Insert Flash Video command in Dreamweaver or Contribute may be vulnerable."

Rich Cannings, a senior information security engineer at Google, described the risks in a public Google Docs file earlier in January, noting that many Web authoring tools insert vulnerable ActionScript code into Flash (.SWF) files. He said that Google hacking queries could reveal hundreds of thousands of vulnerable .SWF files and that "a considerable percentage of major Internet sites are affected."

These files could be used to facilitate cross-site scripting attacks. "If a Web application is vulnerable to XSS, and an attacker lures a user of the vulnerable Web application to click on a link, then the attacker gains complete control of the user's session in the Web application," Cannings explained in his post. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the Web site appears to the user (for example, perform a phishing attack)."

XSS vulnerabilities are not uncommon. The site XSSed.com maintains a list of reported XSS holes in Web sites. On Friday, January 18, at the time this article was filed, 10 new vulnerabilities have been reported. The site shows that XSS vulnerabilities have been reported many high-profile domains including yahoo.com, google.com, youtube.com, and msn.com, to name a few. Some of these flaws have been fixed; others apparently remain.

Some security experts consider XSS holes to be less significant than application or network vulnerabilities. But, as security researcher Russ McRee observes, e-commerce sites with XSS issues risk being out of compliance with Payment Card Industry data rules and losing the ability to accept credit cards online.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll