"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by
older authoring programs that are vulnerable to cross-site scripting (XSS)
attacks, Rich Cannings, information security engineer of search giant
Google, told security professionals attending the conference on
Wednesday. Using a specially-crafted Web address, an attacker could use
a vulnerable Flash file on a major Web site to gain access to the
user's account on that site, once the victim logs in. A bad Flash file
on a banking site, for example, could put that bank's customers at
risk, allowing an attacker the ability to access the victims' funds.
Cannings originally disclosed the issues in December, but has seen very
little activity on the part of Web-site developers to fix the flaws.
The security researcher tested major Web site that he uses regularly
and found that every single one still hosted old Flash files. He
notified each company, and made sure they had fixed the issues, before
presenting his findings, he said.
"Things really haven't changed much since December," Cannings said. "There is still a lot of bugs out there."
Article Link: http://www.securityfocus.com/news/11511
