Updated 1:49 p.m. PST to clarify that Gmail issue was fixed and any attack would be theoretically possible but extremely difficult to accomplish.
A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.
The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview on Wednesday. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."
By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.
For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.
Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable." (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)
Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.
Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.
Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.
Asked to comment, an Adobe representative provided this statement:
"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."
This screenshot shows an e-mail attachment executed in the context of a Squirrelmail client session, which leads to compromise of the Web-based e-mail account.
(Credit: Foreground Security)
HP is set to announce on Monday a free tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites.
HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines, said Billy Hoffman, manager of HP's Web Security Research Group. The tool works with all versions of Flash.
With the Flash Player installed on more than 98 percent of Internet-connected computers globally, Flash applications are a popular target for attackers. HP analyzed nearly 4,000 Web apps developed with the Flash platform and found that 35 percent violate Adobe's security best practices.
For example, encryption keys and other sensitive data have been found inside client-side Flash code, Hoffman said.
Flash, traditionally used for creating animation and games, has been increasingly used for Web 2.0 apps destined for enterprise use, for which tighter security measures are required, he said.
Hoffman explains how a Flash app vulnerability can be exploited in this video.
This isn't the first tool aimed at Flash developers. IBM last month announced its Rational AppScan, which automatically scans Flash and Ajax-based applications for security defects. The standard version of that product costs $17,550 for a one-year license.
Last year, HP was called upon by Microsoft to develop a free tool, Scrawlr, that developers can use to test for SQL injection vulnerabilities in apps on Microsoft's ASP platform, according to Hoffman.
While developers are striving to write more secure Flash apps, Adobe occasionally is forced to deal with security holes in the Flash Player itself. For instance, Adobe recently issued a patch for a hole in the player that could allow an attacker to remotely take control of a computer.
Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.
The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions, the company said in an advisory.
To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted Web site, according to an advisory from security firm iDefense.
Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.
While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced last week. A patch is due by March 11.
Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.
There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.
"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."
- prev
- 1
- next
