The issue of web security and cross-site scripting was back in the media recently, after a blog post by Costin Raiu, the director of the global research & analysis team at Kaspersky Lab, highlighted a potential issue with Adobe Flash Player version 21.0.0.242 and older.
Posted on Kaspersky Lab’s official blog, the article suggests that ChromeOS, Linux, Macintosh and Windows-based systems using the vulnerable version of Adobe Flash Player could be exploited by hackers.
According to Raiu, the fault can cause the software to crash at which point hackers can take control of the system. For website owners and users, the latest security issue for the popular media player is bound to be a concern, but for Adobe it doesn’t appear to be a pressing matter.
Adobe Vulnerability Part of a Larger Security Issue
“Hacker Dojo” (CC BY-SA 2.0) by mightyohm
Although it acknowledged the vulnerability, Adobe said the fault has only been exploited in a limited capacity and a fix won’t be issued until the next round of regular security updates. For Raiu, the weakness in the system could become an issue if recent attacks on the software company are anything to go by.
Thanks to a new feature in Kaspersky Lab’s detection software, an Adobe Flash zero-day exploit was uncovered earlier this year and then again in June. For Raiu, this appears to be part of a larger series of attacks from an advanced persistent threat (APT) group Kaspersky has dubbed ScarCruft.
For users, the idea that their system could be compromised by cross-site scripting attacks from hackers has forced many to seek security provisions to protect against such things. As outlined by Incapsula, “cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application.”
Lessons to be Learned from Adobe
“nullobjektverweis_flashPlay” (CC BY 2.0) by valentin.d
Whether they are stored or reflected, XSS attacks have the potential to cause irreparable damage to a business as it leave users’ personal data at risk. With XSS attacks common and companies such as Adobe not immune from hackers, XSS prevention is crucial for every website owner.
Indeed, any small or medium business that uses the Adobe Flash Player on its site and doesn’t use XSS prevention tools such as a web application firewall (WAF) could be putting their users at risk.
Naturally, it’s not only XSS attacks that businesses need to protect themselves against. According to Akamai, 8% of attacks in Q1 of 2016 were XSS, while SQL injections accounted for 42% of attacks. Web security is no longer an optional extra for companies. Employing multiple layers of protection and ensuring there are no coding vulnerabilities underneath a site’s hood is crucial.
Website Security is Not an Optional Extra
“Secure Cloud Computing” (CC BY 2.0) by FutUndBeidl
Adobe’s latest security advisory might not have caused a major incident, but it does highlight the dangers that are out there. If a company of that magnitude can fall foul of hackers, then anyone can. So, while users will have to wait for the next round of updates for the latest vulnerability to be fixed, the situation should serve as a lesson to any business out there that you can’t sleep on security.