Google researcher calls for Flash flush
A Google researcher is advising that security professionals rewrite code associated with Adobe Flash content two weeks after warning that buggy files can be exploited by attackers to gain complete control over transactions on websites belonging to banks, government agencies and other trusted organizations. The security bug …
It's all lipstick on a pig anyway. It warms me heart that there are vulns associated with it. Google should skip any page that includes the sticky stuff.
Red windcheater, long black scarf, bye!
Something not written by Microsoft has a really nasty security hole in it.
What is the world coming to?
It's a good thing for Adobe that MS don't do "look 'n feel" lawsuits like the nibbled fruit lads :-)
I do not criticize the format itself, some good things have been done with it. What I do criticize is the tendency that much too many sites have to manage everything in a single Flash applet.
Useless, annoying, bandwidth-killing and destroyer of HTML links.
Whenever I stumble across a site that is Flash only, I quickly go away and hopefully never return.
Thanks be for Firefox and good old Flashblock. I never see that stuff.
Make sure your local hostname doesn't have a 1 in it or the thing won't work - use 127.0.0.1 instead if running locally or create something in your local hosts file.
The hostname for my server had two 1's in it and all I got was JS errors!!
I just don't get it. Who inserts code where? What exactly will I have to do to expose myself to danger?
Is the trick that flash content on web site A can access flash content on web site B if both sites are open in the same browser? (as an entry point to the entire B website)
Or: How do you get to the point where you can inject script code into the flash hosted by the targetted website? Can you do it from JavaScript?
I'm not asking for a recipe, these are mostly yes/no questions. The article is verbose where it really doesn't need to... Yet leaves out the important bit: Telling me exactly what I have to avoid.
--
Rune
I think you avoid flash fullstop. :)
It seems to work this way:
Site bankinc.compromised has a flash applet on the site which is vulnerable.
You visit the bank and start a logged in session, which is controlled by a cookie only bankinc.compromised can access.
You get bored and go off to evil.comdom which whilst displaying a number of interesting pictures is also trying to load flash objects in the background from various sites with an ill crafted skinName paramater in them. This will allow
code to be injected and hence control the flash applet running on your browser which comes from bankinc.compromise.
They get lucky and the code they inject requests all the cookies on the bank site you are still logged in to the bank. And the bank cookies are now available via the compromised flash. The code also communicates those cookies back to evil.condom thru your browser.
Once evil.condom operator has your cookie, they could hijack your bank session.
It is a cross site attack and they could do more beyond just taking the cookies, but the cookies are the obvious one, and you would hope they checked the IP did not change mid session. Theoretically if the flash was on the make payments page they could automate a payment with it.
Who inserts code where? bad guy calls flash from bank using a skinName param which allow arbitrary to code to run in the bank's flash.
What exactly will I have to do to expose myself to danger? Allow flash to run and use a trusted site that has flash anywhere on the domain.
Is the trick ... ? No - bad site calls the bank flash - like you embed a site in a site, or snaffle an image.
Where is the injection, is javascript to blame? No, javascript is not to blame the flash html object is if you must blame something - but really it is flash.
>> Yet leaves out the important bit: Telling me exactly what I have to avoid.
Werl... Too much sun, alcohol, cigarettes, fried food, drinking tap water in developing countries mostly. And obviously, anything that looks like a land war in Asia !
Coat already on.
I searched my Mac & XP for *any* files related to Flash and Shockwave, deleted them, ages ago! What I avoid is having time/bandwidth wasting blipverts , which incidentally can do cross site scripting. I have the usual sacrificial PC/Mac filled with every multi-media add-on to keep the kids happy at youthTube or whatever todays social networking site is called. The work Mac/PC will remain locked down. (no sign of 2o7.net cookies!)
Aren't the Flash files themselves the bugs?
There are sites like CNET.com that are so full of Flash based ads that the page is impossible to read. They have full motion videos with sound that load automatically, and if you want to scroll anywhere you have to manually turn them off first.
These guys wouldn't dream of having imbedded MIDI files playing tunes and animated GIF files everywhere, like some Geocities template page about cute kittens from deepest cyburbia.
They do it with Flash and that's somehow more sophisticated.
I use Firefox and Flashblock and don't visit CNET very often.
Sign up, sign up for The Register's weekly IT security newsletter - click here
