"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds.

Cannings originally disclosed the issues in December, but has seen very little activity on the part of Web-site developers to fix the flaws. The security researcher tested major Web site that he uses regularly and found that every single one still hosted old Flash files. He notified each company, and made sure they had fixed the issues, before presenting his findings, he said.

"Things really haven't changed much since December," Cannings said. "There is still a lot of bugs out there."

Article Link: http://www.securityfocus.com/news/11511