Digital Traffic Factory A full-service internet marketing company specializing in optimizing clients sales funnels

Adobe has plugged a hole in its ubiquitous Flash media player that attackers were exploiting to control services such as webmail accessed by end users.

The universal XSS, or cross-site scripting, vulnerability is present in all versions of Flash, but was only being actively exploited in versions that worked with Microsoft’s Internet Explorer browser. In a security bulletin, Adobe credited Google for discovery of the bug and warned it “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.” Representatives with Adobe and Google didn’t elaborate on the in-the-wild attacks or the underlying bug, except for an Adobe spokeswoman saying Google first reported it on February 10.

Security researchers, meanwhile, said the squashed bug was exotic.

“They’re kind of rare and they’re extremely powerful, so now you’re talking about an 0-day cross-site scripting flaw being used in the wild, which can really only be useful for account takeovers,” said Jeremiah Grossman, a Web security expert and the CTO of WhiteHat Security. “For an attacker to find one and use it in the wild, that’s the first I’ve ever heard of.”

Most XSS vulnerabilities are the result of coding errors on a specific website. A universal XSS, by contrast, stems from bugs present in browsers or plugins and can be exploited as they access multiple sites. Besides its zero-day status as a vulnerability—meaning it was fixed only after it was under attack—the Flash bug is noteworthy because it affects software that is installed on a majority of the world’s computers. What’s more, universal XSS vulnerabilities typically give an attacker the ability to run custom-written JavaScript in a victim’s browser that can steal authentication cookies used to log into private accounts and take similar actions, such as send spam or messages to all addresses contained in an address book.

Over the past few years, Adobe has worked hard to improve the security of its Acrobat, Reader, and Flash applications, which are available for Windows, Mac OS X, and Linux operating systems and installed on millions of machines. In 2010, the software maker released a Windows version of Reader that included a security sandbox that isolated the document viewer from sensitive OS functions, such as the changing of registry settings and the writing or modification of crucial files. That same year, Adobe Flash for Google Chrome added similar protection. Last week, Adobe released a beta version of Flash for Firefox when running on Windows Vista and Windows 7 and has said similar protection will be coming to the IE version of Flash soon.

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

“Adobe and Google, when they create their sandboxes, they’re designing them to stop memory corruption vulnerabilities,” Chris Rohlf of Leaf Security Research told Ars. “To their credit, the sandboxes do a good job of stopping memory corruption vulnerabilities, but they’re simply not designed to stop these sorts of things.”

An updated version of Flash, which includes fixes for several other vulnerabilities Adobe rated as critical, is available here.

We Work For You

Each and every service we provide is custom tailored to each client’s individual needs.
Internet Marketing is not a one-size-fits-all business. Not every solution will work for every client. We will find the solution that will work for YOU

marketing illustration
web development illustration

web development

We focus on Functionality, Design and Maintenance

It’s important that a website works the way it should. We make sure it functions seamlessly in every browser, on every device, from a home computer to a tablet to a iPhone or other mobile device. We scour through all of that code so you don’t have to. What our clients get is a website that looks amazing, is protected from hackers, and it works as intended to deliver results.

Your website should be as unique as your business. During the initial phases of design, our team will work closely with you so we understand your goals and objectives and build a website that achieves them. We’ve consulted across all industries, and we stay up-to-date on the latest trends. The result: websites that are completely custom, modern, attractive and effective.

cloud hosting

Unlike traditional hosting, Our solutions are not deployed on a single server. Instead, a network of connected virtual and physical cloud servers hosts our client' applications and websites, ensuring greater flexibility, scalability and accessibility.

cloud hosting illustration


what our clients are saying

Get started

We are here to help you. So reach out today!

100% Satisfaction Guaranteed

We know what we're doing when it comes to the web. But like most things on the web, a bit of scepticism is healthy. So that is why we put our money where our mouth is. We don't just talk the talk, we walk the walk.
We're so confident in our abilities, that once we outline a plan, if we don't hit the metrics, you owe us nothing for our efforts.

What will be the next step?

  • we'll discuss your business goal together.
  • we'll map out a plan together.
  • We'll prepare the proposal for you.

Tell us about your project