A flaw in the software Flash, Adobe, can be exploited by attackers to compromise any site that gives permission to update content - if, for example, Google Gmail - and then silently attack visitors of these sites, said today (13 / 11) researchers from a U.S. security company.

Adobe does not refute the claims of the researchers, but said it is the responsibility of the designers and administrators to build web applications and sites capable of preventing such attacks.

"The size of the problem is huge," said Mike Murray, executive security Foreground Security, Florida. "Any site that allows updating content for the visitor is vulnerable, and most of them are not ready to handle it."

Permission risky
The problem is in the rules of operation of the Flash ActionScript, which is programmed to allow access to a Flash object to other content only from the area where it originated, said Mike Bailey, a senior security researcher at Foreground.

Unfortunately, Bailey explains, if an attacker can infiltrate a malicious Flash object on a Web site - through their ability to generate content, which typically allows people to update files on a site or service - they can run malicious scripts in the context of this domain .

Bailey explained how a hacker could exploit the flaw in Flash. "It is relatively simple," he said. "All he needs to do is create a malicious Flash object, and load it on the web server."

"If a forum allows people to upload an image as an avatar, someone could upload a malicious Flash file that looks like an avatar," said Bailey. "Anyone who saw this avatar would be vulnerable to attack."

Hopeless
In response to the Foreground, Adobe said the flaw is "incorrigible", and tries to educate administrators to obscure the site themselves, the hole. But the strategy has not been having much success.

Brad Arkin, Adobe's director for privacy and product safety, agreed that the problem can not be solved with a patch for Flash.

"For us, this is a generic problem that affects any site that allows active scripting, not just Flash, but technologies like Silverlight and JavaScript. Even if Flash had a magical protection, the problem would still exist for all active content sites that allow users to upload files. "

Alternatively, Adobe has focused on good design practice, explaining to designers and site administrators the risks of allowing users to update content. "Sites should not allow updates in trusted domains," Arkin argues.

Even GMail
One of the sites at risk of malicious attacks is GMail, Google. The service is one that allows users to update and download attachments - although Bailey admits that exploit Google's webmail is "extremely difficult".

Although Foreground has not detected any attack with this technique, Murray said there was evidence that hackers are turning to such tactics. "We started to notice a more intense use of Flash in the last days," he said.

Meanwhile, the only real defense that users can employ against such attacks is to stop using Flash - or, if that is impossible to restrict its use to sites known to be safe with tools like NoScript addon ToogleFlash Firefox or Internet Explorer.

Source: http://idgnow.uol.com.br/seguranca/2009/11/13/falha-no-flash-expoe-sites-a-ataque-hacker/