Expert says Adobe Flash policy is risky

Updated 1:49 p.m. PST to clarify that Gmail issue was fixed and any attack would be theoretically possible but extremely difficult to accomplish.

A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.

The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview on Wednesday. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."

By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.

For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.

Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable." (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)

Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.

Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.

Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.

Asked to comment, an Adobe representative provided this statement:

"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."

This screenshot shows an e-mail attachment executed in the context of a Squirrelmail client session, which leads to compromise of the Web-based e-mail account.

(Credit: Foreground Security)

[dascha1]

Ok, knew it would happen today. Can't you guys figure what's important for today's news please. Then I'll run for office, provided I can afford a motorcyle escort and/or "detail" when I bike on the roads, in the pool, and running in general. No, I don't compete in a wheelchair, at least not yet!

[opiapr]

If you don't like the news source get a new one their are millions of site out their. No one is forcing you to come to news.com

[dascha1]

Tell Apple to put "millions of site out their" (you need to work on your recognizing what you write, btw) when they distribute their browser bookmarks for every audience "out there".

[LinuxRules]

That is why there is a specially made button on your keyboard called 'Delete'.

[SactoGuy018]

The only way we can get rid of this is to go to HTML 5.0, but that is also problematic since HTML 5.0 standards are not completely finalized and Internet Explorer 8.0 doesn't support HTML 5.0 (though I do expect Microsoft to update its browser for HTML 5.0 support within a year or so). Note that Firefox 3.5.5 isn't much better, though it will be interesting to see if the upcoming Firefox 3.6 due the end of this 2009 will support HTML 5.0 enough to run Google Wave natively.

[cvaldes1831]

From a security standpoint, I really wish there was a Flash replacement or special mode where everything would be rendered as a plain old image with no animation, hyperlinks, or other functionality.

Frankly, I'm sort of glad that I don't have to deal with Flash on my iPod touch.

[dascha1]

Don't forget, you can live without the sound on it too. ;)

[cvaldes1831]

Absolutely.

When I land on a site with annoying, blaring music, if I can't find the "sound off" button in three seconds, I kill the browser tab and make a mental note not to visit that site again.

[cp256]

It is such a shame that all the video sites use flash. Flash is such a POS for the browser. It gives you pretty much zero control over anything aside from just not using it. I didn't like it when it was Macromedia and I like it even less under Adobe. In addition to being a hideously bloated inefficient CPU time sucker and an ad spam magnet, it's insecure.

NoScript and NoFlash are two of my favorite Firefox plugins. I'd really like to see a truly seamless mechanism to play flash encapsulated videos through VLC in Firefox.

[cvaldes1831]

AdBlock Plus, NoScript, and NoFlash block a bunch of foibles, but I'm done with the "web browser on a computer" paradigm. Much of my Internet (not necessarily web) access is done on my iPod touch and web designers need to consider mobile devices as an important platform.

[SactoGuy018]

If you're referring to streaming video sites like Hulu and Fancast (for English-language series programming) and Crunchyroll (for Japanese anime), you're out of luck if you don't have Flash 10.x installed. This situation won't resolve itself until these sites conform to HTML 5.0 standards and start streaming video using the Ogg Theora compression format (the current preferred video format for HTML 5.0). Given that HTML 5.0 is not fully finalized, it could be several years before we can finally ditch Flash. :-(

[ExWinUser]

How ironic, when I visited his blog site he is using Flash.

[jakeZ2]

Until someone comes up with a video format with the qulity, flexibility and file size that even comes close to flash video, don't expect a change. h264 looks great, but the files are still much larger than the flv format.
Theora looks decent http://people.xiph.org/~oggk/elephants_dream/elephantsdream.html
, but it's going to need more than a bad wiki page behind it to get it into the mainstream. i.e. stand alone converters.

[SnidleyWhiplash]

So let me get this straight... because a content creator *could* stupidly construct their content, and because a server administrator *could* incompetently administer their server, that's somehow Flash's fault for being susceptible to a chain of bad decisions. And so this Einstein says the best solution is for the world to uninstall Flash. Riiiight... I suppose because Apache can be incompetently administered, we should uninstall every web browser too. And because people might drown we should stop drinking water. How about we just stop listening to so-called security experts who are more interested in grandstanding and hyperbole than substance?

[aMUSICsite]

But I thought most of the upload sites don't allow flash to be uploaded, quite a few don't even allow embedding flash in their content.

The best solution seems to be for the big upload sites to block all flash, could you imagine how quickly Adobe would fix this if MySpace removed all embedded flash content from all it's pages!

[zelrio]

Those who use Firefox should definitely download the add-on called FlashBlock. It's awesome.

[Farthing Haypenny]

I love my Flashblock too. It makes the internet better.