Flash XSS And Remediation Steps

In the wake of the disclosure of Flash vulnerabilities found in thousands of websites, I felt I should probably post something about it. I have read the section of the upcoming book by Rich Cannings and Himanshu Dwivedi, and won’t disclose it, as promised to the person who sent it to me until I hear otherwise (if ever - since it’s a book and you can just buy it). Today I got an email and a call from Adobe with details that they wanted to present to people who may be concerned about it:

Adobe is developing a solution in an update to Flash Player that will prevent these attacks on existing vulnerable SWFs.

Flash Player bulletin released on 12/18 (http://www.adobe.com/support/security/bulletins/apsb07-20.html) includes a solution to a portion of these vulnerabilities and the next update in early 2008 will mitigate the remaining issues.

In the meantime, developers can mitigate cross site scripting attacks in their SWFs by coding them following guidelines for secure Flash development as described in the whitepaper at http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html, and by using data validation libraries available at http://code.google.com/p/flash-validators/.

Adobe is also applying these guidelines to SWF templates that are commonly deployed, which will be available as updates in early January, and we are working with other software vendors to update their templates.

Together, these strategies provide a complete solution to the potential vulnerabilities.

So if you have flash on your site, it is highly recommended that you take these precautionary steps to protect yourself. It’s nice to see Adobe taking this seriously and working so quickly. I certainly wasn’t expecting a phone call - way to go guys!

[Source: ha.ckers]