Adobe Flash Exploit Could Log Keystrokes

Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers. The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."

Great...

[6Yankee]

...and TFA has a Flash ad...

Re:Great...

[Cutriss]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash. Of course, they just want to get paid and don't really care about you, so I can't say I'm all that surprised.

Or...maybe the world isn't as evil of a place as you think, and the people writing the article aren't the same people that develop the website? Maybe they don't even know how to use Flash and just write copy?

Re:Great...

[MojoRilla]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash.

Why? I'm sure the editorial group uses a CMS to publish these pages, and the standard template has DoubleClick ads in them. DoubleClick may or may serve out Flash ads, based on what is bought and should be served at any particular moment. This allows the advertiser to have a lot of flexibility, as they can buy only 1,000 impressions or 1,000,000 impressions, and have those ads served out over a wide range of pages. It also makes it easy for editorial people to get paid for their work, instead of having to worry about ads on every single page they publish

There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.

Always So Negative

[eldavojohn]

I know a lot of people are going to find something to complain about with these new bugs--no, wait--features of our beloved and adored Adobe Flash plugin but I think we should turn these lemons into lemonade and recognize all the fun things people can do with a tool like a keystroke logger:

• Get an extremely accurate analysis of your words per minute in typing.
• Search through the log and double check that you correctly entered all of your banking account numbers, credit card and personal information on all of your internet forms.
• Do searches on the log to see if you ever accidentally typed "teh" and how many times that happened.
• Compare your Letter Frequency to the standard featured in Edgar Alan Poe's The Gold Bug

As you can see, there are many fun & great things that one can do with the potential of these new key logging features.

</sarcasm>

Re:Always So Negative

[CaptainPatent]

Wow... and you typed that post at 55 words per minute!

Re:Always So Negative

[monk.e.boy]

they should Open Source the player. That would solve most of their problems.

The only bit that is worth anything is the Flash IDE designer thingy.

If it was opensource it'd be a great stop gap between HTML + JS (now) and HTML + SVG + JS (future). It'd also help fight Silverlight, which is gunna take over the world if we aren't careful :-(

Any other ideas for spreading multi-media web without using Java (ugh) Flash (ugh) or Silverlight (hm...)?

monk.e.boy

Re:Always So Negative

[UbuntuDupe]

This sounds kind of like the "exploit" in Second Life, where you can script objects to listen for commands from users, which necessarily allows you to script listening bugs -- just have it listen for whatever people say near it, and IM the results back to you. I actually wrote a few of these and ended up finding out not-too-cool things people were saying about me.

Anyone know if they've fixed this somehow?

Time to update!

Time to update Adobe Updater so it can download the new updates!

http://www.agavegroup.com/images/articles/adobeUpd ater.gif

Re:Can't trust 'em

[also-rr]

If you don't trust adobe you could always install the open source Flash plugin swfdec. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.

Does it effect Flash Lite/Wii users?

[Organic+User]

Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?

Re:Does it effect Flash Lite/Wii users?

[EveryNickIsTaken]

This therefore begs the question.. Can a keystroke logger also log waggles?

Re:Does it effect Flash Lite/Wii users?

[AKAImBatman]

Does it effect Flash Lite/Wii users?

Since no one else will just answer the darn question, I will.

The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".

Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish. :)

Re:If exploited on a ...

[Constantine+XVI]

I believe the buttons on the Wiimote map to a few keys (for use in Flash games) and the pointer just picks up as a mouse. That's about it.

NoScript blocks Flash

[Matt+Perry]

Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.

Monopoly

[plams]

The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.

It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.

Re:Monopoly

[TheRaven64]

Look at IE between killing off NetScape and FireFox becoming popular. Now compare that to IE when it had competition from NetScape and later FireFox. I don't want SilverLight to win, but I'd much rather Flash had some competition, because competition helps encourage innovation.

Re:Monopoly

[tkdtaylor]

Did you miss the story posted here about Mono Coders Hack Linux Silverlight in 21 Days???

Flash Player 9 is NOT affected by keystoke logging

From the article: "In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected."

Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.

Quality

[Reality+Master+101]

You know, to be fair to Flash, I have to say that it's an incredibly well-written application overall. It's very small to download and it works very well. Heck, they actually made video consistently work on the Internet! I think you can make an argument that they are solely responsible for making video sites like YouTube viable. All video STILL sucks except for Flash.

Of course, the quality of Flash is a different question from how it's abused. :) [personally, I don't mind Flash all that much.]

Re:Quality

So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up.

That's some "Real Quality Software" right there and it's great that flash is so instrumental in furthering the promise of an open, accessible web. How I wish every web page was a chunk of executable bytecode.

Re:Quality

[Reality+Master+101]

So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up.

Portability (which has multiple dimensions) is not a measure of quality, it is a design goal that may or may not be part of the goals of a project.

Re:Quality

[TheRaven64]

There are a few projects that really show up Java. One is Flash. Another is Squeak, which manages to run Smalltalk fast enough that you can run video CODECs written in Smalltalk on it even on slightly old hardware. I think the Squeak team really dropped the ball on the whole web thing; a Squeak plugin could have been an incredible platform for rich client-side development (Squeak is still one of the best development environments around), but they concentrated on desktop replacement instead.

Re:Quality

[Mister+Whirly]

You sir, are not a programmer. End of story.

Re:If exploited on a ...

[AKAImBatman]

I believe the buttons on the Wiimote map to a few keys (for use in Flash games)

Actually, the keypresses only make it as far as Javascript. In order to "hear" the presses in Flash, you need to use the WiiCade API, which traps all the keypresses and forwards them to Flash. There's also the earlier Quasimondo API, but it fails to trap the keypresses, making it useless under most circumstances.

Back in the old days...

[TheTranceFan]

You know, back in the old days we only had linear keystrokes, and they worked fine for us. Now it's all about the log keystrokes with the kids these days.

World's going to hell.

Did anyone read the article?

[popo]

This isn't a bug in the latest flash plugin... only older ones.

I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.

Full Article

Adobe Flash exploit could log keystrokes
By Dawn Kawamoto, CNET News.com
16/07/2007
URL: http://www.zdnetasia.com/news/security/0,39044215, 62028443,00.htm

Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.

Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.

Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory from Secunia. Attackers, as a result, can gain remote access to a user's system.

In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.

Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referrer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.

Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.

Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.
--
For Your Flash-Based Safety

Re:Confusing Product Names

[AKAImBatman]

Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")

In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.

Positive thinking

[TheDarkener]

Not that this security hole has much at all to do with it, but I strongly believe in positive thinking.

Maybe if we all chant, they will hear us.

Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.

Is the ActiveX affected?

[smooth+wombat]

We don't allow people to install Flash on their systems here at work but we do provide the ActiveX component to run Flash. Is it affected as well? The article doesn't say.

Personally, I don't run Flash. Time and again it has been shown to be a security risk and these new developments only strengthen that perception.

Re:Is the ActiveX affected?

[FranTaylor]

Exactly.

"We don't let people bring shotguns to work, but pistols are okay".

Re:Can't trust 'em

[X0563511]

Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page and let us choose to go to the homepage ourselves rather than fight with sf.net.

AMD64

[Sunshinerat]

Does Anybody know if the 64 bit Linux version is also affected?

Oh wait...

MvE

Re:Can't trust 'em

[Touvan]

This is very interesting. Like the Java clones before it, this project (swfdec), and gnash show how popular closed source projects have their own way of encouraging something similar to the dreaded "forking" that corporations fear so much. What's interesting about Java is that opening the source seems to have reversed that trend, and we now see some attempts to unify the many Java code bases.

I wonder if Adobe will figure that out, and open up Flash Player some more.

Sorry, a *what" ?

[DrYak]

and TFA has a Flash ad...

Sorry a Flash-what ?

Oh, it must be one of those things we are missing, as users of :

Adblock plugin (stops ads, be it Flash, Javascript or plain pictures)
Adblock+ plugin (fork with different features but similar purpose)
Adblock Filterset.G updater plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)

or NoScript> plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
FlashBlock plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),

or Gnash GPL Flash player (GNU page) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
SWFDec GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
or not installing a Flash player at all and using SaveTube to watch flashvideos.

I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.

Misleading headline

[mad.frog]

More accurate would be "Adobe Issues Fixes For Flash Exploit That Could Log Keystrokes"...

Headline implies that exploits were just found and still exist. Not so.

Re:"Shockwave" is still in the URL and Product Nam

[Val314]

And I'm not having any luck finding anywhere at tells me what version of the plugin (ActiveX Control?) I'm currently running, so now I have to walk to each and every machine in the domain and install the latest manually.

see here: http://www.macromedia.com/software/flash/about/