Adobe has plugged a hole in its ubiquitous Flash media player that attackers were exploiting to control services such as webmail accessed by end users.
The universal XSS, or cross-site scripting, vulnerability is present in all versions of Flash, but was only being actively exploited in versions that worked with Microsoft’s Internet Explorer browser. In a security bulletin, Adobe credited Google for discovery of the bug and warned it “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.” Representatives with Adobe and Google didn’t elaborate on the in-the-wild attacks or the underlying bug, except for an Adobe spokeswoman saying Google first reported it on February 10.
Security researchers, meanwhile, said the squashed bug was exotic.
“They’re kind of rare and they’re extremely powerful, so now you’re talking about an 0-day cross-site scripting flaw being used in the wild, which can really only be useful for account takeovers,” said Jeremiah Grossman, a Web security expert and the CTO of WhiteHat Security. “For an attacker to find one and use it in the wild, that’s the first I’ve ever heard of.”
Most XSS vulnerabilities are the result of coding errors on a specific website. A universal XSS, by contrast, stems from bugs present in browsers or plugins and can be exploited as they access multiple sites. Besides its zero-day status as a vulnerability—meaning it was fixed only after it was under attack—the Flash bug is noteworthy because it affects software that is installed on a majority of the world’s computers. What’s more, universal XSS vulnerabilities typically give an attacker the ability to run custom-written JavaScript in a victim’s browser that can steal authentication cookies used to log into private accounts and take similar actions, such as send spam or messages to all addresses contained in an address book.
Over the past few years, Adobe has worked hard to improve the security of its Acrobat, Reader, and Flash applications, which are available for Windows, Mac OS X, and Linux operating systems and installed on millions of machines. In 2010, the software maker released a Windows version of Reader that included a security sandbox that isolated the document viewer from sensitive OS functions, such as the changing of registry settings and the writing or modification of crucial files. That same year, Adobe Flash for Google Chrome added similar protection. Last week, Adobe released a beta version of Flash for Firefox when running on Windows Vista and Windows 7 and has said similar protection will be coming to the IE version of Flash soon.
As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.
“Adobe and Google, when they create their sandboxes, they’re designing them to stop memory corruption vulnerabilities,” Chris Rohlf of Leaf Security Research told Ars. “To their credit, the sandboxes do a good job of stopping memory corruption vulnerabilities, but they’re simply not designed to stop these sorts of things.”
An updated version of Flash, which includes fixes for several other vulnerabilities Adobe rated as critical, is available here.
Each and every service we provide is custom tailored to each client’s individual needs.
Internet Marketing is not a one-size-fits-all business. Not every solution will work for every client. We will find the solution that will work for YOU
We focus on Functionality, Design and Maintenance
It’s important that a website works the way it should. We make sure it functions seamlessly in every browser, on every device, from a home computer to a tablet to a iPhone or other mobile device. We scour through all of that code so you don’t have to. What our clients get is a website that looks amazing, is protected from hackers, and it works as intended to deliver results.
Your website should be as unique as your business. During the initial phases of design, our team will work closely with you so we understand your goals and objectives and build a website that achieves them. We’ve consulted across all industries, and we stay up-to-date on the latest trends. The result: websites that are completely custom, modern, attractive and effective.
Unlike traditional hosting, Our solutions are not deployed on a single server. Instead, a network of connected virtual and physical cloud servers hosts our client' applications and websites, ensuring greater flexibility, scalability and accessibility.
what our clients are saying
Just wanted to thank everyone for all your input. Showing me how to correctly market my business online has shown a 81% jump in sales in just the few solutions I’ve implemented. I am looking forward to working with your team to take things to the next level, and seeing an even greater increase in sales!
CEO & founder
Almost as much as the increase in sales that I received with my Google Advertising Campaign, I enjoyed how the folks at Digital Traffic Factory didn’t try to BS me and helped make me understand (as thick as I am) what each thing they were talking about was. I had someone handling my ‘SEO’ for years, and I never knew what was going on. Digital Traffic Factory showed me – in our first meeting – where I could see the SEO ‘stuff’ on my website. Come to find out, the person who I ihad been paying for SEO wasn’t doing a single thing.
Finance Manager
Our partnership showed us promising new ways to promote our company. Today we use analytics and more accurate traffic data to help decide our next move. The digital space is an essential tool for retail and positioning ourselves well is critical in an increasingly competitive field."
Brand Manager
We are here to help you. So reach out today!
We know what we're doing when it comes to the web. But like most things on the web, a bit of scepticism is healthy. So that is why we put our money where our mouth is. We don't just talk the talk, we walk the walk.
We're so confident in our abilities, that once we outline a plan, if we don't hit the metrics, you owe us nothing for our efforts.
