November 13, 2009 at 11:08Adobe Flash fundamental bug will not be fixed
Security experts at Foreground Security have discovered a problem with Adobe Flash that affects almost all sites that support downloading custom content, even if the site itself does not formally show Flash. The fact is that nothing prevents you from making object / embed on any page that is not related to the site, because Flash has access to cookies from the domain from which it is loaded (and not from where the object tag is located).
The problem is the ActionScript same-origin property, which allows active content to run within the domain. But if UGC can be downloaded to a trusted site, then a malicious script will be executed by all visitors to this site who have Flash installed.
Adobe said that fixing the bug is very difficult and shifted all responsibility for protection from malicious code to site administrators. It is recommended that a separate domain be allocated for UGC storage. But this is not always possible: even the site of Adobe itself is vulnerable to this vulnerability .
The attack can also be carried out through Gmail (see video).
The problem is the ActionScript same-origin property, which allows active content to run within the domain. But if UGC can be downloaded to a trusted site, then a malicious script will be executed by all visitors to this site who have Flash installed.
Adobe said that fixing the bug is very difficult and shifted all responsibility for protection from malicious code to site administrators. It is recommended that a separate domain be allocated for UGC storage. But this is not always possible: even the site of Adobe itself is vulnerable to this vulnerability .
The attack can also be carried out through Gmail (see video).