Internet Users Worldwide at Risk as Holiday Shopping Season Begins

Orlando, FL November 12, 2009--  Foreground Security™, a leader in information security services, solutions and training, today announced its discovery of a critical vulnerability in Adobe Flash. The critical issue allows an attacker to take over nearly any computer visiting a website that allows file uploads.  .

“Due to the ubiquity of Adobe Flash, which Adobe estimates has over 99% market penetration globally, the implications of the exploit are far-reaching,” said Mike Murray, Foreground’s chief information security officer. “When you consider that the number of online shoppers increases exponentially with the approaching holidays, this vulnerability is definitely a cause for serious concern.”

According to Foreground Security Senior Security Researcher Mike Bailey, who discovered the vulnerability:  “Whether you use Flash or not, you may still be vulnerable because this issue affects users directly and not the servers themselves. Websites that are at risk of being vulnerable include social media sites, major career portals, and Fortune 1000 and government agencies websites. Basically, if you have a website, you could be vulnerable.”

Following its discovery, the vulnerability was reported to both Adobe and Google, whose Google Applications, including Gmail, are vulnerable to exploit. No fix is currently available.

Bailey also noted: “This is insidious because Flash content can be crafted to look like many different file types, such as Microsoft Word or Excel documents, image files or zip files. This variability allows malicious content to appear in many different and normally non-threatening guises. Nobody expects pictures to attack them."

“IT security teams at web properties should evaluate the locations where file uploads are allowed as well as locations where those uploads are stored to ensure they are not vulnerable to this condition,” said Dave Amsler, Foreground Security’s president.. “We are urging organizations to reach out to trusted security partners to assist with this fix if they are unable to solve it on their own. Organizations that take the time to resolve this issue will make the online shopping season safer for everyone.”

Added Amsler: “Foreground recommends that all holiday shoppers immediately take mitigation steps to reduce their reliance on Flash by disabling it in their browsers or by using products like NoScript or ToggleFlash to reduce their exposure whenever possible.”

More detail on the vulnerability and information about how consumers can protect themselves is available on the Foreground Security blog at: http://www.foregroundsecurity.com/MyBlog/

About Foreground Security

Foreground Security is a leader in information security consulting, training and services with offices in Virginia, Florida, California, and Illinois. Foreground Security believes in integrating leading edge security services, training, and commercial best practices, in order to assist government and private sector organizations optimize their security posture. The mission of Foreground Security is to aid clients with overall information security through a customer centric approach. You will never see a one size fits all proposal or solution when you choose Foreground Security as your information security partner.

For More Information Please Contact:

Public Relations:

Kristi Lane

Shev Rush Public Relations (SRPR)

W:785.393.2261

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Foreground Security Senior Researcher Uncovers Major Web Application Vulnerability

Browser Cookie Handling Widens Web Attack Space

ORLANDO, Florida, November 6, 2009 – Foreground Security™, the leader in information security services, solutions and training, recently announced that one of  its Senior Security Researchers, Mike Bailey, has discovered and written a whitepaper on a vulnerability that most corporations didn’t think could happen; that one of their website sub-domains can be used to attack their main production domain.

“Most webmasters operate under a false assumption that because of the hierarchical and segments structure of DNS an exploit on a subdomain (for instance, mail.google.com) cannot impact the principal domain (google.com)”, Bailey said.  He added “The way browsers handle cookies makes this possible because cookies are designed so that sub-domains can set and customize them for the main domain”

CISO and Managing Partner, Mike Murray added, "It's not just 'check the vulnerabilities on the important stuff,'" Murray said. "It's 'check the vulnerabilities on every public facing server.' This vulnerability significantly lowers the ante for the attacker. In the old days, we believed that if the main site was secure, everything was fine. Now the attacker can go through the side doors."

A permanent fix for this vulnerability requires fundamental changes in the way cookies operate by every major browser provider. This change is unlikely to be affected quickly but organizations shouldn't wait to react. Every organization should consult web application security experts to review their security posture in light of this new information.

The Foreground Security Research Team is active in the information security research community, aggressively pursuing both new vulnerability research and mitigation of all types of threats. Leveraging its’ expert understanding of today’s web applications, threats and how exploitation works, the team is a consistent contributor in the industry.

About Foreground Security