Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flash Vulnerabilities Affect Thousands of Sites

Posted by kdawson on from the waves-of-shock dept.

An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."

9 of 214 comments (clear)

  1. Re:Preference by palegray.net · · Score: 5, Insightful

    Flash done right can be extremely useful, as a tool for adding a dynamic interface to a site. Unfortunately, Flash is (in my opinion) usually done horribly wrong, and implemented in a manner that doesn't give site visitors any alternate means of using the site. I've seen good implementations where Flash was used only for a particular application, and the rest of the site was done in standard-compliant HTML/CSS. I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  2. Permanent workaround by noidentity · · Score: 5, Insightful

    Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.

  3. Re:I'm no fan of proprietary solutions, but... by Anonymous Coward · · Score: 4, Insightful

    If it were open the source code could be audited and perhaps this vulnerability (or others) would have already been identified and corrected. With proprietary solutions you just don't get that option.

  4. Re:Preference by Anonymous Coward · · Score: 5, Insightful

    Depends on what you are trying to achieve, but I would never go with Flash. The only benefit of Flash is that it will keep the majority of users from "stealing" your content by downloading it and saving it to a file. And you also get to code up your own crappy player in it too. If you want it playable on the largest number of devices(what people normally claim is the benefit of Flash), then go with MPEG-1 which will work more places than Flash.

  5. Re:Proprietary, huh? by Jack9 · · Score: 4, Insightful
    Even open source implementations are vulnerable to XSS.

    Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

    In summary, "Phishing can work against Flash apps." Specifically, the article says someone at Google documented something about XSS working against Flash apps...being really light on the details. This could apply to Google's stock market Flex charting, for example. Adobe hasn't done anything about it and didnt respond to EMAIL inquiries about it.
    My question is who asked The Register, to troll against Adobe? AND how did it get posted on /. /Lemme know if I missed something.
    --

    Often wrong but never in doubt.
    I am Jack9.
    Everyone knows me.
  6. Re:Preference by Anomolous+Cowturd · · Score: 5, Insightful

    Not a fan of flash either, but the one application it is actually good for is the youtube-style video embedding. I prefer flash to the satan-spawned abominations quicktime & windows media player, as the platform support is better, among other things.

    --
    Software patents delenda est.
  7. Re:Proprietary, huh? by Deanalator · · Score: 4, Insightful

    The problem isn't that adobe has a poor implementation of the flash protocol. If that was the case, they could just patch the issues (like in the past). These issues stem from the protocol itself, and that it is very liberal on how it defines access control. This is not something that can be fixed by open source. Even if gnash did have a top notch security team (which I doubt, since it sounds to me like they are still having trouble getting swf to parse safely), they would need to redefine much of the protocol, add proper mandatory access controls. Doing this in a way that would not break existing flash applets would be a huge pain in the ass. Not to mention having to go back and change everything again once adobe releases a new version.

  8. Re:Preference by JackMeyhoff · · Score: 5, Insightful

    Most flash is done WRONG unfortunately, and most sites either open in a new limited controllable window and / or have a screen area the size of a postage stamp. Flash sucks for many reasons, and this is 2 of them.

    --
    http://www.rense.com/general79/wdx1.htm
  9. Flash != Evil by ckorhonen · · Score: 5, Insightful

    I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.

    In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!

    Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.

    In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.

    The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.

    Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.