Holes In Adobe's Flash Player A Threat To System Security

[Guest Reimar]

Holes in Adobe's Flash Player a threat to system security

Adobe has published an update for Flash Player that eliminates many browser-independent security holes. Adobe classifies several of these as critical, because an attacker can infect a PC by placing specially crafted SWF files on Web sites. For this to work, it's sufficient for a page containing Flash content to be opened. The Flash Player is already included as a standard ActiveX Control in Internet Explorer under Windows. In these days of YouTube and other multimedia offerings, users of alternative browsers may also have installed a suitable plug-in from Adobe and so be just as vulnerable.

The versions affected are Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier under Windows, Mac OS X and Linux. Adobe advises all users to download and install the new Flash Version 9.0.115.0 as quickly as possible from the Adobe Flash Player Download Center.

Users who have activated automatic updates should already have been offered a new version. A patched Version 7 can be downloaded by those users who, for their own reasons, want or need to go on using Version 7. Not until later will Solaris users be offered update 9.0.47.0 with the faults removed. Until then, Adobe advises installing the beta version from Adobe Labs.

The security holes result from various bugs including heap overflows that occur during the parsing of SWF files. Through them, code can be smuggled in and executed with the rights of the user. According to Tipping Point, this can happen while manipulated JPG images embedded in SWF files are being processed. There are moreover vulnerabilities that allow the domain policy of the Player to be circumvented and cross-site scripting attacks carried out.

Like Web browsers, for security reasons the Flash Player has a restriction on what documents or files may be accessed. For example, the Player may only send data to pages from which it has loaded an SWF file. This is particularly important, because Flash supports ActionScript 3, a simple scripting language similar to JavaScript - and the fact that JavaScript can become a security problem is testified to by very many cross-site scripting vulnerabilities in Web sites and browsers.

HTTP headers can also be manipulated: something that can be exploited in HTTP request-splitting attacks. And ActionScript can be used to find out what ports on a PC are open. According to a security advisory, this can be misused for port scanning by remote computers.

So far there have been no reports of Web sites actively exploiting the holes in Flash. Fortunately YouTube, for example, only permits files to be uploaded in the WMV, AVI, MOV and MPG formats and encodes these into the Flash format itself, so there should be no malicicously crafted movies there. MySpace, too, creates a new Flash movie from an uploaded one. Things may be different on other pages, however. Users should consider installing a Flash blocker in addition, for example FlashBlock for Firefox. This prevents a Flash film being loaded and played until it has been approved by the user.

Update

The port scanning vulnerability in Flash Player has been known since last August. At this year's CCCamp, the hacker "fukami" who found the hole demonstrated how ActionScript detects the open ports on a system. The web page Design flaw in AS3 socket handling allows port probing gives demo and a more detailed description of the problem. On this page, you can also test whether Adobe's update and the suggested workaround actually function.

[Guest Reimar]

The Story continous:

Warning - unpatched security loopholes in Flash applets

Security experts from Google are warning of dangerous security loopholes in Flash applets. They say that, as part of a joint investigation with staff of the security firm iSEC, they discovered that more than 500,000 Flash files on public Web sites are wide open to certain cross-site scripting (XSS) attacks. The researchers say that even the latest security update of Adobe's Flash Player gives no protection against the dangers that have been discovered. Among others, they have found Flash files of this kind on government and online banking Web sites.

The group is publishing details in its book "Hacking Exposed Web 2.0", which will come out in the USA in January 2008. According to the British IT news service The Register, this alarming news has already been circulating around company security departments for some time. Adobe is said to have been informed about the results of the research back in summer 2007.

The authors say that security patches for the Flash client cannot provide a solution to the problems: the harmful code is already generated at the time of creation by many popular Flash tools, including DreamWeaver, Breeze and Camtasia. The loophole makes it possible for cookies to be read out, or login data to be spied on, for example, while SWF files are being executed via a manipulated link with certain variables.