Faulty Flash app brings XSS to Content Management Systems

More websites may be exposed to attack following a Ukrainian security researcher's discovery of a cross-site scripting vulnerability in a widespread Flash application. This week, the researcher announced two more content management systems which use insecure versions of the affected Flash file.

Earlier this year, the author also claimed to have found a similar vulnerability in Flash files used by tag cloud plugins for WordPress, Joomulus, JVClouds3D, Joomla and Blogumus.

Eugene Dokukin, posting as MustLive, noted this week that the same problem also affects the Cumulus tag cloud widget for BlogEngine.NET and Kasseler CMS.

The vulnerability allows arbitrary HTML tags to be injected into the tagcloud.swf Flash application. This makes it possible to inject malign JavaScript into the Flash application, although this can only be executed if a victim clicks on the injected content:


If an attacker is able to convince someone to click on the Flash application, the injected JavaScript would be able to run in the context of the site hosting the Flash application. This could be particularly harmful for content management systems, potentially allowing an attacker to launch cross-site request forgery attacks, or even propagate XSS worms through comments or blog posts.

A simple Google search returns many websites which use vulnerable versions of the Flash tag cloud application. Netcraft provides a range of security testing services to identify and eliminate vulnerabilities such as cross-site scripting.

False Start for Cyber Security Challenge?

A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.

Ironically, the programme has been established by a management consortium of key figures in cyber security, and is designed to identify and nurture the UK's future cyber security workforce.

The simple coding error was demonstrated a short while ago by James Wheare. It is not clear whether this security vulnerability is part of the challenge, but we suspect not.

Mr Wheare told Netcraft that he was prompted to look for the hole after reading a friend's tweet, and noticed insufficient encoding in the page's <title> and <h2> tags.

Users of the Netcraft Toolbar are protected against cross-site scripting (XSS) attacks like these, which could otherwise be used to launch cross-site request forgery (CSRF) attacks, modify the content of pages on the Cyber Security Challenge website, or steal session identifiers from victims.


Netcraft also provides a comprehensive range of internet security services which identify vulnerabilities such as cross-site scripting in web applications. Netcraft has informed Cyber Security Challenge UK about the vulnerability.

Windows users vulnerable to flaw in Java Web Start

An unresolved security flaw in Java Web Start could be putting millions of Windows users at risk. The bug – discovered by Tavis Ormandy – allows arbitrary options to be passed to the Java virtual machine via the javaws command line application. This gives an attacker the opportunity to execute malign JAR files on the victim's computer.

Tavis informed Sun (now owned by Oracle) about this problem, but states they did not consider the vulnerability to be important enough to break their quarterly patch cycle. Given how easily the flaw was discovered, Tavis disagreed and published his advice to temporarily disable the affected control until it gets fixed.

All versions since Java SE 6 Update 10 for Windows are believed to be vulnerable. Working exploits for this vulnerability are now in the public domain, so it is important to apply one of the workarounds suggested by Tavis:

  • Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA.
  • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

Full details can be found in Ormandy's post to the Full Disclosure mailing list.

Netcraft's Web Server Survey shows that Java Web Start is very seldom used by websites, so there is perhaps little to be lost by disabling JNLP support completely. Only 0.002% of the active sites in the April 2010 survey used JNLP technology on their homepages, whereas 0.26% of homepages contained traditional Java Applets.

Although Java usage is growing amongst mobile devices, and continues to remain strong as a server-side technology, it appears to have lost the battle for interactive client-side desktop browser technology. The combined share of JNLP and Applets pales into insignificance when compared with Adobe Flash, which is now found on more than 15% of all homepages.

New browser reports over half of SSL sites may be unsafe

A new internet browser, Comodo Dragon, reports that more than half of the world's valid SSL certificates are unsafe.

Comodo Dragon is based on the open source Chromium project, but includes additional security and privacy features. In particular, when a user browses to a site that uses a domain-validated SSL certificate, Comodo Dragon will warn the user that the site may not have undergone trusted third-party validation.

Comodo Dragon displaying a warning when visiting a domain-validated SSL site

Users are presented with buttons to "Proceed anyway", or go "Back to safety". The warning message explains why such a site is deemed to be unsafe:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Mainstream adoption of this behaviour would have a huge impact on e-commerce — more than half of the SSL certificates in use on the web are domain-validated, and this market continues to show strong growth due to the generally lower costs and ease of issuance when compared with organisation and extended validation certificates.

However, none of the popular browsers provides an explicit warning when browsing to a domain-validated site. With such widespread use of domain-validated certificates, it would undoubtedly lead to uproar if any of these browsers were to display warnings when users browse to domain-validated sites.

Although Comodo states that many websites connected to cyber-crimes use domain-validated certificates, Netcraft's phishing site feed shows that only 0.3% of reported phishing sites use HTTPS, including those running on compromised servers with SSL certificates already in place.

Netcraft found 683,563 valid domain-validated certificates in its March 2010 survey. Go Daddy has issued more than half of these, which it currently sells at $29.99 per year for new purchases.

Comodo itself is also a sizable player in the domain-validated SSL market, accounting for 7.6% of all domain-validated certificates. Ironically, domain-validated certificates signed by Comodo are also reported as being potentially unsafe, including those sold via hosting companies such as DreamHost.

DreamHost's CTO, Dallas Kashuba, told Netcraft: "I think the information being presented about the nature of the SSL certificate is useful, but the approach Comodo has taken to present the information is heavy-handed and seems a bit too close to "crying wolf". I worry that users of the browser will see that warning so frequently that they will become desensitized to all warnings."

Last year, DreamHost launched an amusing tirade against certificate authorities, criticising the "entirely automated" process of issuing domain-validated certificates. To prove a point, DreamHost then began offering domain-validated certificates to existing customers for only $15, stating: "...we're not making anything on them because we feel the whole business is a scam!"

DreamHost's Kashuba also told Netcraft: "I think Extended Validation SSL certificates are a good way to reduce the impact of phishing and other similar nefarious activities, but is not a necessary expense for most secure websites."

There is no doubt that upsetting the current level of trust in domain-validated certificates would cause problems: Many FDIC members continue to use domain-validated certificates for their banking sites, including Bank of the Sierra, Bank of Hawaii, TierOne Bank and Great Western Bank.

For additional information or details on how to order the Netcraft SSL Survey, please contact us at sales@netcraft.com.

24 of the 100 top HTTPS sites now safe from TLS renegotiation attacks

24 of the 100 most popular HTTPS websites appear to be safe from the recently documented TLS renegotiation flaws. Meanwhile, the other 76 sites are still vulnerable to renegotiation attacks, which allow a man-in-the-middle attacker to inject data into secure communication streams. To demonstrate the seriousness of the issue, Anil Kurmus published details of an attack scenario that showed how the flaw could be used to steal passwords from vulnerable sites such as Twitter.

Among the top 100 HTTPS websites, there are several banks and commerce companies that remain vulnerable. A few of these sites give the appearance of being intermittently vulnerable, as client requests are load balanced among a mixture of vulnerable and non-vulnerable machines.

Ben Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by Google. A further 7 sites are running Microsoft IIS 6.0, which is currently believed not to be vulnerable.

Since discovering the renegotiation problem, PhoneFactor has created a Status of Patches list, showing which vendors have already responded to the problem. A few were quick to act by disabling renegotiation support in their products, and some vendors have already implemented Eric Rescorla's proposed fix.

Netcraft's November SSL Survey found 1,217,395 distinct valid third-party SSL certificates in use on the web.

HMRC phishing site hosted on gov.uk domain

An ongoing phishing attack against UK taxpayers is being given additional credibility by using a gov.uk domain. Sefton Council is hosting the phishing content on its Novel GroupWise 7.0 site at web11.sefton.gov.uk.

The phish follows one of the typical ploys commonly seen in HMRC and IRS phishing attacks: The victim is led to believe that they can receive a tax refund by submitting their full credit card details, but these details are instead sent directly to the fraudster behind the attack.


The fraudulent form submits the victim's details to a PHP script hosted at www.zamoh.biz.


The UK's Central Office of Information is responsible for deciding who can register gov.uk domains. Eligibility is strictly limited, which helps to preserve the integrity of the gov.uk namespace; however, this obviously has an undesirable effect when this integrity is leveraged by fraudulent content on compromised servers. Netcraft has informed Sefton Council about this phishing attack.

Netcraft provides an Automated Vulnerability Scanning service which regularly tests your internet infrastructure, supplies the information you need to maintain your security and eliminate vulnerabilities, and audits that it has found no serious vulnerabilities using a dynamically generated seal.