Uh oh. I hate reading this stuff Monday mornings…. but this security issue looks like a doozy.
Flash flaw puts most sites, users at risk, say researchers
‘Frighteningly bad thing,’ said Foreground Security, of flaw allowing hackers to hijack sites, attack usersNovember 12, 2009 (Computerworld) Hackers can exploit a flaw in Adobe’s Flash to compromise nearly every Web site that allows users to upload content, including Google’s Gmail, then launch silent attacks on visitors to those sites, security researchers said today.
Adobe did not dispute the researchers’ claims, but said that Web designers and administrators have a responsibility to craft their applications and sites to prevent such attacks.
“The magnitude of this is huge,” said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. “Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this.”
The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object’s access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site — through its user-generated content capabilities, which typically allow people to upload files to the site or service — they can execute malicious scripts in the context of that domain.
“This is a frighteningly bad thing,” Bailey said. “How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable.”
Ugh. It does not look like anyone has a fix for this in the near future. These hacks are just getting crazy!!!
It is advised to either avoid browsing sites that have Flash (actually a very difficult thing today), or installing NoScript for Firefox browsers, or ToggleFlash for Internet Explorer. Nothing was said about using Opera, an alternative browser that I like and that has been immune from a lot of the security problems… so I’ll have to do some digging to find out.
In the meantime, use NoScript or ToggleFlash. NoScript (which is what I have used intermittently in the past) is a little complex sometimes, because you have to put everything on a white list… and some things I don’t know what are allowable or not (not all things on websites are adequately labeled). So this puts a real crimp in my own browsing style… hopefully, a fix will roll out soon.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Here I can post my findings for sharing (and I do hope some of these you find helpful in some way) and they also serve as “bookmarks” for me in case I need something at some time in the future. I ALWAYS get a good, functional “search” feature when I use a blog theme, because I am always comeing back and searching my own blog for things I mentioned months ago. 
