back to article Adobe Flash fix FAIL exposes world's most popular sites

Hackers Luca Carettoni and Mauro Gentile found a badly-applied four-year-old Adobe patch allows attackers to steal information and commandeer accounts for three of the world's top ten websites and 'many' others. The LinkedIn and Minded Security researchers say the indirect Same-Origin-Policy Request Forgery and Cross-Site …

  1. Notas Badoff
    Meh

    Not probing your site, merely perusing...

    So if I suck down a component file from your web site, and analyse it offline for vulnerabilities, this skirts around the legal difficulties of being an Invading! Evil! Hackerist! ? After all, I did nothing but accept the files your site sent me, right?

    And if people start selling site profiles and example exploits to others, that isn't illegal, as they themselves are not penetrating a web site, right? They're just saying hey look over there that parked car is unlocked.

    Umm, okay, now how about the academic and investigatory exemptions? A survey in the public interest isn't illegal, right?

    Politics, legal codes, and morality... Sheesh! I'll think I'll keep my head down and keep coding!

  2. A Non e-mouse Silver badge
    WTF?

    Hang on...

    So a flaw in the Flash player needs the .SWF files re-compiling. Why does this sound wrong to me? To me, it sounds like a flaw still exists in the Flash player...

    1. Growler

      It's in the SDK

      I thought so too, at first. Then I got to this bit:

      "As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin.

      So the flaw was in the SDK and there are some sites who did not rebuild their Flash files after the SDK patch was released.

      I think the article needs to do more to make this clear.

      1. Dan 55 Silver badge

        Re: It's in the SDK

        It still exists in Flash Player which executes the flawed code. That's the problem. It's like having a browser full of HTML, CSS, and JavaScript flaws and the advice from the browser manufacturer is to use an IDE which doesn't let you save bad markup. Hackers aren't going to play nice and only compile with the latest SDK if they can produce a SWF with an earlier SDK which exploits clients' Flash Players.

    2. BristolBachelor Gold badge

      Re: Hang on...

      "So a flaw in the Flash player needs the .SWF files re-compiling. "

      Is this the case though? Or is it that the SDK compiled buggy code that could be compromised?

      e.g. if your C compiler builds code that allows out of bounds memory leaks even when you ask it to do bounds checking, would you agree that it's an error in the compiler, or would you say that the processor that actually runs the code is at fault?

      1. Wibble

        Re: Hang on...

        Isn't Flash / SWF interpreted? In which case it's the interpreter that needs patching?

    3. PeterM42
      Mushroom

      Re: Hang on...

      " it sounds like a flaw still exists in the Flash player..."

      Er, YES, just the one or two........... MILLION

      Rename as crash.exe

  3. Electron Shepherd

    Not just the seedy side of the web...

    Attackers would need to convince users to visit malicious websites in order to steal data or perform actions on their behalf

    Is that true? What about all those sites that host Flash adverts? Surely an attacker could submit a plausible-looking Flash advert to an agency, and have it run on reputable sites?

    1. Anonymous Coward
      Anonymous Coward

      Re: Not just the seedy side of the web...

      The Flash advert doesn't normally run on the site you are looking at it runs on the site of the agency. It is only through the miracle of the World Wide Web that it appears to you to be running on the site you are looking at.

      1. Tom 38
        Headmaster

        Re: Not just the seedy side of the web...

        The Flash advert doesn't normally run on the site you are looking at it runs on the site of the agency. It is only through the miracle of the World Wide Web that it appears to you to be running on the site you are looking at.

        Wrong.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not just the seedy side of the web...

          "Wrong."

          Am I really? Which sites are you thinking that host the flash adverts themselves?

          1. Tom 38
            Headmaster

            Re: Not just the seedy side of the web...

            The Flash advert doesn't normally run on the site you are looking at it runs on the site of the agency. It is only through the miracle of the World Wide Web that it appears to you to be running on the site you are looking at.

            Which sites are you thinking that host the flash adverts themselves?

            "host" is the same as "run", right?

            Nice hole, keep digging.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not just the seedy side of the web...

              Oh boy, the original post was about stealing user data and flash adverts being hosted on those site you were browsing and your one word "wrong" was based on semantics not that the actual statement was wrong.

              The flash file runs on you local browser not any site but the main point of the reply was that the flaw would affect the agency site (and data they held) not data on the site you actually chose to visit.

              You don't have to be an idiot about it, just point out it should be 'host' not 'run' then fair enough, point taken. Quoting the whole statement and claiming 'wrong', is a little different.

    2. Webfreelancer

      Re: Not just the seedy side of the web...

      This is a really old bug, if you read security bulletin from Adobe issued at the time.

      'SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable. '

      'Most applications built with Flex 4.x that were compiled in the default way (specifically, using RSL linkage) aren't vulnerable. However, there are rare cases in which they are vulnerable.'

      'Applications built using any release of Flex before 3.0 are not vulnerable.'

      Most Flex developers who knew their stuff would compile to use RSL's since it gives very small apps calling a cached set of linked libraries. The slides shown exploit a feature of the player using flash vars in the page to do a redirect, this is no different from using Javascript and CORS to do a cross origin call. For ever Flash exploit I can think of 3 ways to do a similar thing in javascript. The answer browse with scripts turned off? Oh wait my new shiny HTML 5 app won't work with Javascript turned off, bummer!

      No flash developer who understands security use Flash vars if he can avoid it. A correctly formatted cross scripting policy file should also solve cross scripting stuff (that has been around in Flash since Flash Player 7 as a security device) the player will not load content from another domain, unless it is specifically given permission via the Cross Domain Policy XML file on the server

  4. Necronomnomnomicon

    Last week I finally uninstalled Flash across our office

    I get the feeling today won't be the last time I feel validated in doing that.

    As for how it went? Nobody really noticed. YMMV, of course.

    1. Craig 2

      Re: Last week I finally uninstalled Flash across our office

      All it needs to marginalize flash is a significant portion of people to do this. Any offending sites would soon be updated to make them HTML5 compatible. If you can't yet commit to fully uninstalling, set the plugin permission to ask; you'll be surprised how little you need it.

      1. manky

        Re: Last week I finally uninstalled Flash across our office

        This ^

        I ignore requests for the websites I use to run flash and they all work perfectly well. Most of the flash stuff embedded in sites is used to collate data and track you anyway.

    2. TheTick

      Re: Last week I finally uninstalled Flash across our office

      Recently did the same at home, now I'm feeling justified today.

      Surprisingly few websites are broken as a result so quite happy with the decision.

    3. Sandy Scott

      Re: Last week I finally uninstalled Flash across our office

      Out of interest, does that also include disabling the built-in flash plugin in Chrome?

      1. Necronomnomnomicon

        Re: Last week I finally uninstalled Flash across our office

        Call-center-type place here, so most of the users are on a lightly locked down version of IE rather than Chrome. The few users that do use Chrome have had the click-to-play setting engaged.

  5. This post has been deleted by its author

    1. RHOmea

      Re: Flash should just die already.

      Amen brother.

      1. Anonymous Coward
        Holmes

        Re: Flash should just die already.

        It's 2015 already. Why the hell are major websites still using flash?

        If Google would rip pepper from Chrome's innards, flash would basically disappear from the webernet in no time. Do us all a favor Google - stop enabling this monstrosity.

  6. BillDarblay
    Pirate

    Any web designer who chooses flash for a new site

    should be marched out and shot in front of their family.

  7. Mage Silver badge
    Big Brother

    Tricked to visiting site...

    xxxxx is wanting to connect with you <insert social site, i.e. linkedin>

    1. BristolBachelor Gold badge

      Re: Tricked to visiting site...

      It's even easier than that. You just hack a site like CNN, Reddit, theregister, etc. where you know your identified targets will be going, and place the code on there. We've seen sites that are very professional specific hacked to be nice watering holes for this type of thing.

  8. Maty

    flash ...

    Remember the outrage when Steve jobs said that iOS would not use Flash? If only more companies had followed his lead ....

    1. Anonymous Coward
      Facepalm

      Re: flash ...

      Yeah, cause that had nothing to do with Apple trying to steal users away from Youtube and other media services - right?

      Good thing iTubes has never had any security flaws...

  9. bep

    Hackers?

    I know Italian defenders can be quite hard but referring to them as 'hackers' seems a bit harsh.

  10. Webfreelancer

    Any real Flex developer would have strangled this bug at birth

    Any flex developer who knew his stuff would never use the methods outlined in the slides.

    This was a known issue amongst Rich Internet Application developers at the time. All HTML and Flash code should be treated as insecure code.

    The solution a java jar to scan your network. Seriously, in the bank I worked at the sysop would be fired on the spot.

    Would you really want as a sysop to run a jar inside your network?

    Correctly designed applications build in Flex would never have been vulnerable to this.

    Whats with flash haters? For years it was a form of p*&*s envy, the flash dudes could do cool stuff. whilst HTML programming made you want to gouge your eyes out with a spoon.

    In its time Flash was an incredible tool for pushing the envelope in a way javascript could not.

    That is starting to change but the browser as a platform Web 3.0 if you like is still quite a fragmented patchwork of technologies. This creates challenges for building large HTML applications, what do you do if one of your large corporates is still using IE 6?

    When Flash dies, as it will, the browser as a platform will become a major point of hacking attacks, this creates a maintenance headache for companies creating Web apps, every time the evergreen browser updates will you need to retest your app?

    Now we have new sets of tools in javascript, what is interesting is that it is still the mindset and knowledge of the developer that sets excellent work apart from crap. I currently see some real crap built in Javascript, committing far worse sins that Flash ever did, but I am not screaming for canvas and javascript to be banned.

    Criminals will built malicious sites and will find ways to attack your javascript, in fact it is far easier to do than it ever was in Flash. Why? all your code is downloaded to the client and can be read or reversed. If you think minification of uglify gives you security you are delusional. Accept that client side code and the web is intrinsically insecure and that is you starting point for security

  11. Webfreelancer

    Is the cure worse than the bug

    Has it occurred to anyone that this might be an exploit?

    The authors of this so called 'bug' expect sys admins to download and run a Jar

    If you go to the Git repo, you can't see whats in the source, its in a zip.

    Neat way to get an exploit onto a load of servers if you ask me !!

    "Just because I am paranoid, does not mean that they aren't put to get me!!"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like