Flash Vulnerability Found, Adobe Says No Fix Forthcoming

An anonymous reader writes "Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be."

OH NO!!!

[Narcocide]

Someone has found an issue with Flash?! Say it isn't so...

Re:OH NO!!!

[Monkeedude1212]

I lost count. Can someone help me out again? This time I'll count using Binary on my fingers.

Re:OH NO!!!

[somersault]

This time I'll count using Binary on my fingers.

I've never actually considered doing this. Clever. Almost completely useless as I don't have much use for physical counting references, but clever nonetheless!

Re:OH NO!!!

[bertoelcon]

This time I'll count using Binary on my fingers.

That isn't going to go high enough either.

Re:OH NO!!!

[Icegryphon]

It is version 10.0.Æ.21.
Don't try to count using for fingers.
you need a Scientific Calculator

Re:OH NO!!!

[0100010001010011]

LSB or MSB?
Signed or Unsigned?

Re:OH NO!!!

[Ragzouken]

It doesn't matter, and unsigned, obviously.

Re:OH NO!!!

[Firehed]

That's what toes are for!

Re:OH NO!!!

[Nerdfest]

I have a sign bit.

Re:OH NO!!!

[The+Archon+V2.0]

I lost count. Can someone help me out again? This time I'll count using Binary on my fingers.

I tried that, but when I got to 132 vulnerabilities, I felt that was an appropriate enough representation of my opinion and stopped counting.

Re:OH NO!!!

[selven]

Then use three states - open, half-open and closed, getting 59049 possibilities! You can even add the directions the palms are facing (toward you, sideways, away from you), getting up to 531441. Add three positions for how far away your hands are and get the holy grail, 4782969!

Well, this is Flash...

Re:OH NO!!!

[BikeHelmet]

Hmm... looks like you'll need 11 bits to count them all, so please do it in another room.

Re:OH NO!!!

[Runaway1956]

I can see that this would be useful for a person with only one finger......

Re:OH NO!!!

[QuoteMstr]

I already know what one-finger interface I'd like to use with Adobe Flash.

Re:OH NO!!!

[gzipped_tar]

I'd use it as a check bit ;)

Re:OH NO!!!

[buchner.johannes]

Use trinary. You can count up to 59049 with 10 fingers (up to 243 with 5).

Re:OH NO!!!

[wvmarle]

Yes I was thinking about the same. Flash vulnerability after Windows critical flaw after Firefox hole... some with patches coming, others remaining unpatched (e.g. DNS problems).

It seems to be getting more and more these days. But I can't imagine that software is getting worse - even Microsoft is thinking about security these days.

And the flaws are becoming more and more obscure. OK I didn't RTFA but this has to do with users being vulnerable when servers accept file uploads, even if server doesn't do anything with Flash. So the user has to be able to UPload something and as a result RECEIVE something? From the site they upload to I suppose. Weird to say the least but then maybe I should RTFA to find out more.

To me the more and more of these issues I see the less it starts to worry me. It's starting to get normal, you start to get used to it, that's not good of course. On the other hand I have the feeling it simply has to do with more awareness, more and more researchers digging around trying out the strangest scenarios to find vulnerabilities. Which in a way is not bad at all.

Re:OH NO!!!

[Adm.Wiggin]

Someone mod this guy funny.

For those who don't get it, count to four in binary on one hand. Now repeat for the second hand.

For extra credit, combine the two into a single 10-digit binary number, like the parent did.

Re:OH NO!!!

[Lobster+Quadrille]

On the other hand, the more arcane the attack, the less likely it is to get fixed, and so the more websites remain vulnerable. The end result is that an attacker well-versed in a variety of obscure attacks can find a way into just about everything.

This one, though, does affect an awful lot of sites- it's rare to find a site that doesn't allow users to upload some kind of file. The impression I get is that image uploads may be more or less simple to validate, but most other filetypes aren't.

Re:OH NO!!!

More importantly, what about ECC?

I had a spasm in my left pinky and now I cant remember if its supposed to be bent or not.

Re:OH NO!!!

[nhytefall]

Occam's Razor clearly states that these extremely arcane attack vectors are being discovered and made public by security "professionals" do their level best to ensure their current employment and relativity.

The real security professionals are entirely too busy doing everyone else's job to be worried about ridiculously arcane attack vectors.

Re:OH NO!!!

[Lobster+Quadrille]

And meanwhile, the attackers are using the ridiculously arcane attack vectors to compromise systems. Seems like it'd be useful to have some people that understand them on the good guys' side.

Re:OH NO!!!

[badboy_tw2002]

Useful, but make sure no one is right in front of you when you get to four or they might punch you.

Re:OH NO!!!

[icannotthinkofaname]

Can it be represented by the five bits 00100?

Re:OH NO!!!

[mrboyd]

I usually get punched when I reach 4 so I don't recommend doing it.

Re:OH NO!!!

[schickb]

I counted to 4 in binary on my fingers and just stayed with that.

Re:OH NO!!!

[Thinboy00]

It is version 10.0.Æ.21.

Don't try to count using for fingers.

you need a Scientific Calculator

Why Æ?

Re:OH NO!!!

[Thinboy00]

We don't need your help, thanks!

Re:OH NO!!!

American or Maritime?

Re:OH NO!!!

The left is clear, but what does the right one (the three fingers) mean?

Re:OH NO!!!

[Snarf+You]

...and a count of 132 could get you killed. 18 and 306 are fun though.

Re:OH NO!!!

[supernova_hq]

Yeah, your toe is VERY smelly!

Re:OH NO!!!

[lastgoodnickname]

you for the z dimension....KHAN!!!!!!!!!!

Re:OH NO!!!

[XnavxeMiyyep]

You guys don't have three fingers you can use?

Re:OH NO!!!

here a hundred more:

http://www.bintest.com/m/malloc.html

Re:OH NO!!!

It's easy once you get the hang of it, but you do want to be careful about 4 and 6.

Re:OH NO!!!

[bronney]

I give you the binary 4.

Re:OH NO!!!

[IndustrialComplex]

It think a count of 11 would be fun.

Re:OH NO!!!

[n3tcat]

This time I'll count using Binary on my fingers.

I never considered that before. Thanks!

Re:OH NO!!!

This is a PROBLEM not an "issue!"

Re:OH NO!!!

[LinuxIsGarbage]

This time I'll count using Binary on my fingers.

I've never actually considered doing this. Clever. Almost completely useless as I don't have much use for physical counting references, but clever nonetheless!

What I find easier to keep track of is count to ten with each hand: Once you get to 5, put your thumb down for 6, index finger down for 7, continue such that your pinky finger alone represents 9.

Use your other hand for the 10's place. Now you can count from 0 to 99 on your fingers... without using binary.

Re:OH NO!!!

[xystren]

There are 10 kinds of people in this world. Those that understand binary, and those that don't.

Re:OH NO!!!

[Aqualung812]

Why Æ?

*BELCH* Why not?

Re:OH NO!!!

[mcgrew]

Why would I need to go to another room to count to three?

Re:OH NO!!!

There are 10 kinds of people in this world. Those that understand binary, and those that don't.

But what about the other eight?!

Re:OH NO!!!

[DocHoncho]

Wow, did you just make that up? Brillant!

Re:OH NO!!!

OH NO!!!

I think you mean, AH AHHHHHHH!!!!!!!!!!

Re:OH NO!!!

[xystren]

Add another tick to the latter group...

Re:OH NO!!!

[TheRaven64]

If you are counting, rather than doing arithmetic, then you are better off using a Gray code.

Re:OH NO!!!

Interesting that I have 10 bits to count on. I wonder why there was no standards for hardware / software, etc for using 10 bits instead of 8 bits. Was it a need to use 8 bits or a choice?

Re:OH NO!!!

The left is clear, but what does the right one (the three fingers) mean?

Three? 132 = 128 + 4 = 0010000100

Re:OH NO!!!

[Sam+Douglas]

Partially need, partially choice. 8 bits represents a useful amount of information --- it's enough to represent basic text with control characters. It's a power of two, and an 8 bit binary number can be represented by two complete hexadecimal digits (i.e. 0x00 -- 0xFF), and is a factor of other common integer sizes --- 32 bits is 4*8 bits.

Re:OH NO!!!

[xystren]

I saw it *years* ago... Perhaps 1982 or so. It was on a old computer geek mug that I had. I can't take credit for it, and couldn't even credit who came up with it. Regardless, it is a brilliant statement.

Re:OH NO!!!

Ups! I apparently tend to reduce 8 from everything..

Client or server?

[Dan+East]

"Any site that allows files to be uploaded could be vulnerable"

"Every user with Flash installed is vulnerable"

So who is vulnerable? The server or the client?

Re:Client or server?

[mujadaddy]

Server.

If I can get a Flash object onto your server, I can execute scripts in the context of your domain.

Only appears to be an issue with servers that accept uploads exactly as TFS says, curiously enough.

Re:Client or server?

[jpmorgan]

I know it's a lot to ask, but you could just RTFA. I guess I'll be the enabler today...

Apparently it's a server-side vulnerability, but this puts users at risk since hijacking trusted websites makes it much easier to socially engineer malware onto people's computers. I.e., if gmail were to be compromised, and you login to gmail and there's a link to download some special gmail-improving program, a lot of people will download and install it, even though it was placed there by a hacker and not Google themselves.

Re:Client or server?

[Z34107]

Relevant part of the article:

The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from. ... The important difference, of course, is that flash objects are not web pages. A flash object does not need to be injected into a web page to execute- simply loading the content is enough. Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.

So, user uploads a file - say, a picture for a forum avatar. Your image validation misses that malicious_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain." Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.

Re:Client or server?

[TheRaven64]

From what I understood skimming TFA, it's a cross-site scripting vulnerability, meaning the client's account on the server is vulnerable. I upload EvilFlash.swf to some site that allows downloads. Then I send you a link to this file. Your browser opens the .swf and runs it with the plugin. Unfortunately for you, the plug in runs it in the hosting site's domain, so it can access anything that you can access on the download site. If the site is something like PutYourFaceInTheBook.com then it will be able to access everything in your account and even modify everything there. It could then send links to everyone else on your friends list and if they click on them then the same thing happens.

The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).

Re:Client or server?

[jpmorgan]

The irony of this comment is how bad my example is. Had I RTFA better, I wouldn't have used that example.

Re:Client or server?

[markov_chain]

what is the example in TFA? some please post :P

Re:Client or server?

[smash]

I read that to mean "i can execute scripts in the security context of your domain on the client's browser". E.G. - you have foosite.com as a site trusted to run active content - some guy can upload a malicious flash object and it will run as if authored/published by the website owner in you browser as a trusted site object. My server for example, has no flash installed, so how is a flash object going to run there?

Allowing users to upload flash is fucking retarded anyway. Its like allowing users to upload any javascript or activeX object they like, and then having your user's browsers execute it.

This isn't a flash problem - its an active content problem - flash just happens to be the most common, easy to abuse active content provider out there that people actually trust to run (but shouldn't).

Re:Client or server?

[smash]

Wrong. See: http://news.slashdot.org/comments.pl?sid=1441958&cid=30081730

Re:Client or server?

[PIBM]

If you had RTFA, you`d have noticed that they are giving ways of having flash uploaded on the server while it`s actually checking for other file types, so it`s not as simple as blocking flash file uploads.

Re:Client or server?

[theTerribleRobbo]

So, user uploads a file - say, a picture for a forum avatar. Your image validation misses that malicious_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain." Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.

Also, from the article:

To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.

This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.

Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at http://example/foobar.jpg doesn't load it as flash. Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.

Can someone enlighten me, please? :-)

Re:Client or server?

Flash files can also be loaded by embedding them in an HTML page with attributes that say "content-type='application-x-shockwave-flash'" or something like that, regardless of extension or the content-type header given by the server. The server may think it's a zip file, but your browser can still be convinced to run it as flash.

So, I drop a malicious .docx on vulnerable site, create my own web page that embeds the object, and get you to visit that page. presto, you're pwned.

Re:Client or server?

[Adrian+Lopez]

It would probably be more accurate to say that websites (not servers) are vulnerable to such an attack. After all, unless I've misread TFA, no code is actually being executed server side. Instead, what's happening is that any SWF's posted to a publicly-accessible location are being served under the server's domain and therefore any scripts in the SWF will execute with rights to access that domain. There's nothing the SWF can do through scripting that a visitor can't do directly, so depending on how you look at it you could say the server itself isn't vulnerable to this, but the website and the clients are.

Re:Client or server?

[Ash+Vince]

I have just read the article. The problem seems to be with sites who allow flash object to be uploaded, then served to other people using the site. Of course, this is just stupid anyway. If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone. The example they give is an animated avatar, but that is poor example as they should be restricted to animated gifs anyway.

This is just more FUD. ActionScript is a very powerful language, and so server admins should only allow flash files they trust to be served up form websites they maintain. To my mind that is just common sense. The only alternative would be for Adobe to cripple Flash beyond belief so it was only useful for a small percentage of what it is currently used for.

Re:Client or server?

[theTerribleRobbo]

Oh.
Holy shit.

(Thank you. :-) )

Re:Client or server?

[ThePengwin]

+1 to that.

This is a huge amount of FUD. i believe newgrounds struck this problem back in early days of flash 6? They host all their flash on a foreign server to the actual newgrounds server to combat this. i dunno how successful their methods are, but every time i went to newgrounds, i didnt see it hacked.

Its an old bug, but its a dam commonsence issue. Youre uploading someone elses data, you should be carefull.

Re:Client or server?

[Lobster+Quadrille]

If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone.

And if you allow me to upload a zip file to your site, will you strip out the swf file that's prepended to it? This is key: It's still a perfectly-formatted zip file.

You may start checking for prepended swf files now, but you sure as hell weren't yesterday.

How exactly is this FUD?

Re:Client or server?

[smash]

Then your content checking in your web-app is broken.

Re:Client or server?

[mysidia]

Since almost all web-apps check content by the Content-Type and file extension; it's either not broken or is in very good company (you're essentially saying everything is broken, including Gmail's ability to attach image files such as .jpegs of declared type Image/Jpeg which are actually SWFs)...

By far it is flash that is broken. The flash plugin shouldn't execute on image/jpeg content types.

They are simply ignoring web standards and executing code if the magic number matches. This is clearly a bug in flash.

Re:Client or server?

[mysidia]

There is no vulnerability if the clients don't have flash installed.

It's a client-side vulnerability.

Given flash's popularity, webmasters should understand the risk and block uploads of .SWFs and application/x-flash

However, expecting webmasters to scan .jpeg uploads of declared type image/jpeg or declared application/octet-stream uploads to determine if flash might execute them, when they are intended to be simple downloads or image displays is way over the line...

Especially if an attacker can construct an image file that is a valid image, but flash will pick up and execute......

Re:Client or server?

[mysidia]

It can't eat the hosting webserver, but it's running on the clients' computers if they have flash installed.... it means the app could do things like submit forms, e.g. pretend to be that person, cause that person to also upload a flash file as their avatar, modified so it "appears" to be the original image of them... then post in a thread as them.

IOW, potentially wormable.

Re:Client or server?

[Vancorps]

I don't get it, how is this a flash vulnerability and not sure poor server administration? Uploads on my site don't go into an executable location. Guess it's web 2.0 run amok! In my mind any site that runs user uploaded content is going to be host to any number of problems which is why most sites restrict file types. Sounds to me like this isn't news though. At the very least you should put referral restrictions on folders with user uploaded content to ensure that they can only access it from your domain. Sure it's not perfect but it's a lot better, provided its based on ip address and not domain name that is.

Re:Client or server?

[X.25]

And if you allow me to upload a zip file to your site, will you strip out the swf file that's prepended to it? This is key: It's still a perfectly-formatted zip file.

You may start checking for prepended swf files now, but you sure as hell weren't yesterday.

How exactly is this FUD?

Okay. You've just uploaded the ZIP file with SWF prepended.

Then what? How are you going to make my browser invoke it as a flash object?

Re:Client or server?

[totally+bogus+dude]

They'd use an <object> or <embed> embed tag on a page you visit, referencing the SWF/ZIP object. Since it has the content-type specified in the HTML, it doesn't matter what content-type the server responds with: it'll still be executed by the Flash plugin.

So they need to be able to write HTML into a site you visit, which probably requires some kind of XSS attack. Unless the attacker happens to operate a site you visit willingly or can be tricked into visiting willingly.

Re:Client or server?

Here's my understanding

1) Post a zip/swf file (say) on a message board which supports attachments
2) Create a webpage which load that file as a flash object
3) Post a link to your web page saying "free pron"
4) Since the flash object is running from the message board server, it can steal cookies or whatever

Re:Client or server?

Wow, that actually seems like a doable attack.

Be right back; I'm going to go give 4chan some grief.

Re:Client or server?

[jeffstar]

i for one welcome our new bug infested flash and hope some horrible flash object is uploaded rampantly all over the web. If horrible flash object is bad enough all users will have to uninstall flash. /dreams on

Re:Client or server?

[moderatorrater]

It requires a vulnerability in both the server and the client. The server's vulnerability is that it allows SWF's to be uploaded and it's hard to validate whether it's a SWF or something else (the article uses the example of a file that's both a SWF and a valid ZIP file).

The client side vulnerability is that it will execute any SWF as a flash object even if the extension or the headers are wrong. Once this is done, then the SWF object is running as if it's from the hacked website, which is basically an XSS attack on steroids.

Overall, it's a pretty interesting hack, but harder to pull off than your average XSS vulnerability. It requires problems in the server, browser and flash client.

Re:Client or server?

[Thinboy00]

If it's really that simple then why is Adobe saying...? They're idiots! That's trivial to fix! This is why we need to move away from proprietary active-content and towards HTML5 -- because proprietary companies aren't capable/willing to do a half-assed job at keeping their tech working/secure/up-to-date.

End of rant.

Re:Client or server?

[Thinboy00]

If I send a flash app to your browser and mark it with a completely worng MIME type, should the flash plugin care? Apparently, not only does it care, but it actually executes the damn thing!

Re:Client or server?

[Thinboy00]

RTFGP!

Re:Client or server?

[M.+Baranczak]

If your site serves user-uploaded files and allows users to insert arbitrary HTML into the pages, you've already got big problems.

Re:Client or server?

[mysidia]

Actually.. the thing is they're willing to do a half-assed job at keeping it working, as long as it's profitable. In this case, fixing security requires "breaking" it for customers with legitimate content, we can see they don't want to do that. They only want to do things that will sell get them more sales and make sure Flash stays dominant over threats such as Silverlight.

Then they do a quarter-assed job at keeping it up-to-date

And a 1/8th-assed job at security.

Re:Client or server?

[totally+bogus+dude]

I don't think there's any particular reason the HTML would need to be injected on the same site as the flash was uploaded; but I don't know how Flash's security model works so I could be wrong.

My assumption is that if you're on stupidsite.com and it tells your browser to load a flash object located at uploadafile.com, then that flash object will be running with the domain context of "uploadafile.com". So if you're a user of that site, it may be able to utilise your logon information if you have an active session, etc.

Re:Client or server?

[NatasRevol]

I don't think running a file that is labeled in the HTML code as as a flash object is really a client side vulnerability, and more the way it's supposed to work.

And why it's a bit harder to fix. Not that I'm giving Adobe a pass by any means.

Re:Client or server?

To be fair, the problems in the server are apallingly common (not to mention extremely difficult to fix, at least without re-architecting the application (which may not be a bad idea in any case)), and the ones in the browser/flash plugin are the ones that adobe refuses to fix.

I expect we're going to find out that a lot of sites are vulnerable to this very soon. Mine is- that's why I'm posting anonymously.

Re:Client or server?

[M.+Baranczak]

OK, you're right. The embed tag and the SWF file do not have to be on the same site. But splitting them up this way lowers the potential impact of the exploit, since it requires a user to go to both sites.

Re:Client or server?

[Lobster+Quadrille]

That really isn't a stretch- most XSS and CSRF exploits work the same way. It just requires that the user be logged into victim.com and click a link to evil.com.

Re:Client or server?

[XSpud]

This isn't the way these tags are supposed to work - see my earlier post.

Re:Client or server?

[Tanaric]

How, precisely, is Flash going to send links to everyone on your friends list? Or access anything on your account? It doesn't magically get a pipe to the database or to the underlying server code just because it's served up from the same base URL. At worst, it can do some HTML scraping and load in your images and then POST them off to an "attackers" server... but it'd be a lot easier to do that with... you know... any other programming language deployed in any other possible way, or manually via a browser.

Re:Client or server?

[RAMMS+EIN]

In other words, what we have here is just a rehash of cross-site scripting? Just like you can upload snippets of JavaScript to a site and have them execute in visitors' browsers, you can upload Flash to a site and have it execute in visitors' browsers?

Re:Client or server?

[spongman]

not necessary. the html code could be anywhere, for example 3rd-party ad code uploaded to an ad network using a stolen credit card. talk about casting a wide net.

Re:Client or server?

[coolgeek]

Actually, isn't this more of a browser issue? Why should the browser hand control to a plugin registered for application/flash when it is processing an image/jpeg?

So, do you have any tips about scanning uploaded content? Is there a flash signature at a certain offset in the file or something? Since it seems that the fix is up to app developers, I need to get busy detecting and rejecting SWF file uploads.

Re:Client or server?

If you intend to only allow users to upload images, make a thumbnail (for example, using imagick's convert) during the upload process. If there is a problem with generation of the thumbnail, reject the upload (and delete the temporary file).

This will handily catch people uploading executable and SWF files with fake jpg extension.

Chance is you'll need the thumbnail anyway.

Re:Client or server?

[TheRaven64]

It can issue HTTP requests to the server, including POST requests containing form submissions. If this functionality is exposed to you via a web interface then it's also exposed to the Flash program. If there's a page which lets you send messages to your contacts, it can visit that page and send links to itself using that.

Re:Client or server?

[theTerribleRobbo]

Wait. One of us must be missing something.
For the purposes of the below, I'm excluding the JIFAR-alike vulnerability where a SWF looks like a valid JPEG; this is just regarding the renamed-SWF mentioned in the article:

To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.

Say we have two sites, one that the user is logged into (facenovel.com), and the attacker's site (mal.com).
An attacker uploads a malicious SWF (containing a javascript call that steals the cookie or what have you), except uploads it as nasty.jpg to facenovel.com to get around simple file-extension filtering.

• Accessing the file directly (facenovel.com/uploads/nasty.jpg) doesn't run it as a flash movie, it just gets interpreted as a stuffed JPEG.
• As per the above, I instead have an HTML page hosted on mal.com that embeds facenovel.com/uploads/nasty.jpg and forces a content-type of "application-x-shockwave-flash".
  The javascript does not run; it does not have permission to access anything.

I can't think of a case where a simple rename presents a vulnerability (without the previously-mentioned JIFAR-like hackery).
Help please. :S
 

Re:Client or server?

Actually, isn't this more of a browser issue? Why should the browser hand control to a plugin registered for application/flash when it is processing an image/jpeg?

Presumably because the browser sees the embed tag, loads Flash the plugin, which then downloads the SWF file. The browser doesn't see the content type, and the plugin doesn't care.

Re:Client or server?

Damn those uncaring plugins, damn them all to hell!

Re:Client or server?

The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).

Or, oh, I don't know... just have flash not allow uploading/serving flash content, the same way you don't allow uploading exes?

Re:Client or server?

[Civil_Disobedient]

+1 Absolutely correct.

This only affects sites stupid enough to re-serve a particular user's content to everyone.

If, for example, you are a Flex developer and allow users to upload images (or even... GASP! SWF files!) to the server, but only allow that particular user to see the file, you're completely safe. In fact, you're just ensuring the malicious parties are the only ones who might ever be affected by their malicious software. It's almost poetic.

Re:Client or server?

[TheRaven64]

As has already been explained by a large number of posts, this is difficult. You can block everything with a .exe extension and then anyone downloading the file will need to explicitly rename it before running it. You can simply not serve uploaded files as text/html and people will not be able to host HTML with auto-executed JavaScript from your site. Flash, however, goes out of its way to execute things that don't look like Flash files. Of course, a simpler solution might be for the flash plugin to require a .swf extension on all Flash files, then webmasters could just block .swf uploads...

Re:Client or server?

[mysidia]

The content type gets declared in the embed tag, which is specified by the HTML standard.

The browser just passes the proper content type to the proper plugin

Re:Client or server?

[WPIDalamar]

I was under the impression it was the browser that decided what player to use, and not the player deciding?

Re:Client or server?

[Ash+Vince]

not necessary. the html code could be anywhere, for example 3rd-party ad code uploaded to an ad network using a stolen credit card. talk about casting a wide net.

But I would have to be browsing the site with the HTML in the page. But if you can convince me to browse to a dodgy website, you can do plenty of damage just using Javascript, you do not need a flash object.

This is like me saying there is a vulnerability in HTML as it is insecure if a site allows me to include arbitrary HTML including script tags in their pages.

Re:Client or server?

[zoidran]

Sorry, but I do not read grand parents while they are fucking. That's just plain rude.

Re:Client or server?

[amicusNYCL]

No it's not, the formats allow for this. A zip file can have a SWF prepended to it and still be a valid zip file. New Office documents are zip files, so an attacker could create an office document and then prepend a SWF file to it. That makes a valid zip-family file with an executable SWF payload, and the content type says that it's a Word document or whatever.

What kind of content checking do you recommend to mitigate this? Since you're asserting that everyone else's content checking is broken, then I assume that yours works, can you share it? Your extensive admin experience should give you insight that most people don't have.

Re:Client or server?

[TheRaven64]

You're still missing the point. If I put some dodgy JavaScript in an ad, then it runs in the security domain of the ad, which is typically an iframe and isolated from the rest of the page. If I put a reference to a dodgy SWF in an ad and load the SWF from your site then it runs in the security domain of your site.

Re:Client or server?

[TheRaven64]

It's a security hole because it runs in the security domain of the site that the SWF comes from, not the security domain of the HTML code. That means that you can host the HTML anywhere, you just need to get the site you want to exploit to host the SWF. With a lot of social networking sites, for example, that's quite easy.

Re:Client or server?

[MikeBabcock]

The browser should be acting based on the plugin's advertised MIME types.

For example, my mplayer plugin handles myriad types, and Flash supposedly only handles application/futuresplash and application/x-shockwave-flash

Re:Client or server?

totally right, i mean the only time that Flash would ever be used is over the web. you'd never want to use flash on the desktop (where mime types don't exist).

Re:Client or server?

[didroe84]

If uploadafile.com has a crossdomain.xml file then it can be blocked. The only way around that would be to get the user to execute javascript to inject an object tag into the page, which like the GP said, is a pretty big problem with or without Flash.

Re:Client or server?

[DavidTC]

If people can upload avatars, they can usually post comments, and if they can post comments, they can usually post links.

Sure, it won't get everyone, but it will get enough.

Re:Client or server?

[DavidTC]

I'm not entirely sure how anyone's supposed to fix it in the server. I am unaware of any magical tool we can run to make absolutely sure that what we were handed isn't possible to run as a flash file. (Except actually attempting to run it.)

A few people have suggested resizing images, but, as you point out, the example is actually a zip file.

And let's not even get into webmail.

The solution is really for Adobe to either require a .swf extension, or to require the correct mime type on the file. (Which, for all intents and purposes, would be the same thing, as web servers usually figure mime type by extension.)

In fact, I'd like to see more mime type checking in general for things loaded in web pages. Like javascript files, and css, and images. We're well past the old crappy web servers where those types could sometimes be wrong.

Re:Client or server?

[mysidia]

What happens when the SWF is in a valid image container and also contains an image in it?

Then the thumbnail can be generated just fine, but flash can happily be able to execute the SWF also in the container...

Some of the image and video container file formats are generic enough that both flash content and media can be embedded in the same container file.

The only way a website can hope to validate is to be able to parse every single container format that current versions of the Flash plugin are able to look inside and pull flash from..

iPhone

I'm very angry that I can't use this vulnerability on my iPhone.

Re:iPhone

[Icegryphon]

I'm very angry that I can't use this vulnerability on my iPhone.

There is not an app for that?

Re:iPhone

Droid Does!!

Re:iPhone

[kehren77]

Hard to believe Apple doesn't want to let this shit on their device.

Re:iPhone

no, there isn't an app for that. :P

Re:iPhone

It's been rejected from the download store.

Re:iPhone

[RandomFactor]

It was rejected by the iTunes store.

Re:iPhone

[beaviz]

droid it is, then!

Re:iPhone

[Zebedeu]

You mean Steve Jobs' phone.

FOSS flash plugins?

[Tubal-Cain]

How good it Gnash these days?

Re:FOSS flash plugins?

Nothing to do with anything. This is a problem with the specification. Either Gnash can run flash or it can't (this is more a server-side issue than client-side).

Re:FOSS flash plugins?

[buchner.johannes]

It is key to Linux technologies that malware is being stopped by incompatibility. This is where Gnash comes in: Having not implemented the full extent of Adobe Flash, phishing swfs will crash and your desktop safe.
jk :) ... or am I?

Re:FOSS flash plugins?

Shitty, like it always has been.

Re:FOSS flash plugins?

[buchner.johannes]

Interesting. Gnash is broke. It is a high-priority project of the FSF, but the FSF doesn't support any software projects financially.

Here is the donate button :) http://www.openmedianow.org/?q=node/32

Re:FOSS flash plugins?

Still sucks. :/

Foreign code

[cbreak]

It's always risky to execute code downloaded from the Web, be it JavaScript, Flash content, Java Code or ActiveX. NoScript can help mitigate that risk by offering WhiteListing in Firefox. It might not be too convenient, but security seems to be worth it to me.

Broken security model

[Inf0phreak]

Adobe's answer is just the greatest kind of cop out. "Websites just need to make sure to check all uploaded material". But that's obviously never going to happen -- fuck they can't even do that themselves! End users can't rely on every single website out there to be vigilant at all times and never accept an upload of a flash file.

If this is really unfixable in the flash plugin, then maybe it's because your security model is fucking broken and it's time to throw this piece of shit away?
</profanity>

Re:Broken security model

[smash]

Its not adobe's problem to fix. If you allow users to upload executable content to your web-server, and then have your web-app present that un-sanitized executable content to other users, you're a fucking idiot.

Re:Broken security model

[seanalltogether]

I'm still not exactly clear on the vulnerability itself, all I'm reading is "If I get a swf on your server, when it's executed in the browser it will have originated form that server" What exactly is the vulnerability there? Isn't this how it's supposed to work? Don't you want scripts executing on the domain they load from? From the article "If I can get a Flash object onto your server, I can execute scripts in the context of your domain. This is a frighteningly Bad Thing." Is he suggesting Flash should execute in a black hole or something like that? That would make no sense.

Re:Broken security model

[geekoid]

It sure is. It's broken and needs to be fixed. The server just holds an infected item, like say a Gif. The client runs that because it's coming from a 'safe' domain. As you probably have no clue about, Javascript (now) only runs from the same domain. The actionscript is BROKEN, just like Java script was years ago.

Adobe should be held accountable.

Re:Broken security model

[smash]

This is not CSS. This is the same as allowing people to upload any javascript to your site and the embedding it in your webpage for users to run. If it was an EXE file, a perl script, a java applet or whatever - it would have the same result. Its not a flash problem. Its a web-app problem.

Re:Broken security model

[clockwise_music]

Adobe should not be held accountable. It's not their problem. If I write a program in c# to delete your hard disk, create the EXE, upload it to my website, you download and run it, what, it's Microsoft's fault? What if I write the program in Java and send you a link to a JAR file? Going to sue Sun?

Smash is correct, if you allow users to upload executable content to your website, you're a knob.

Re:Broken security model

[Eil]

Adobe's answer is just the greatest kind of cop out. "Websites just need to make sure to check all uploaded material".

Just because you have a seething hated of Adobe and didn't bother to RTFM doesn't mean Adobe is wrong.

I'm no security expert, but the issue seems to boil down to:

1) It might be considered a security flaw by some, but it's not a bug and it's not even unique to Flash. Everything is working as designed.
2) Yes, in 2009, website programmers still have to throughly validate and/or sanitize all data coming from untrusted sources, no exceptions. Even if it's hard.

Bottom line: This is not news. Some random security researcher took a known caveat in a fully-documented system and tried to sensationalize it, that's all.

Re:Broken security model

[Lobster+Quadrille]

If you can write an SWF that can be executed to compromise a website, despite the fact that it looks like, acts like, and in fact is a valid MS Word document, I'd call that a problem.

Your JAR example is actually a pretty good one... as TFA mentions, a similar attack with JAR files that looked like GIFs came out in 2008. Sun fixed their plugin.

Re:Broken security model

It's not often I agree with you, but I do this time, geekoid.

Abobe model is broken. Flash should be secureable.

Re:Broken security model

[dissy]

Adobe's answer is just the greatest kind of cop out.

How exactly would you suggest Adobe modify the flash plugin so that it will run on your computer when I am the one to upload it to my website, but not run it when someone else who I have given permission (thus access) to upload it to my site in my name?

Either you run code from my website, or you don't. You can't base any decisions on if it was my SCP client that uploaded it to the web server, or someone else uploaded it, mainly because there is no possible way for the server nor you to tell the difference.

What change exactly can Adobe make to come into play here?

Re:Broken security model

[dissy]

mainly because there is no possible way for the server nor you to tell the difference.

I fail. I meant there is no way for the browser to tell the difference.

Obviously the server can tell the difference, and in fact is the only thing that can easily tell the difference, thus why it is a web server issue.

Re:Broken security model

[laffer1]

Translation: The Internet is broken. Let's just flush the tubes and start over. Seriously, I'd like to see a security researcher design a website that is both useful and secure that takes user input besides numbers. It is impossible to secure a blogging or social media site and offer any of the features users expect.

Re:Broken security model

I think the fact that such a simple, known attack is news to the people on this board- who are likely the very people that Adobe expects to fix it, is news in itself.

In fact, the researcher himself discussed the fact that this is an old attack, even linking to information about Adobe's flawed remediation measures.

Adobe expects administrators to be aware of this problem. Few are.
Most security people aren't even aware of this problem.
Sites are vulnerable by default, unless they specifically account for it... and again, few know to account for it.
Even fully validated and perfectly valid files can be malicious.

THIS is the news- not the exploit itself.

Re:Broken security model

[Lobster+Quadrille]

Off the top of my head, here are a few possible changes:

1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)
2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.
3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.
4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)

Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.

Re:Broken security model

[NatasRevol]

Also, how about Adobe has the flash plugin VERIFY that the file it should be running is a valid swf file, and not some swf/zip, etc combo file.

I hope that Adobe could at least figure out how to validate that a flash file was a valid flash file!

Re:Broken security model

[Lobster+Quadrille]

Maybe you should have read the whole article. Cross-site scripting is never mentioned, and seeing how Mike Bailey, the researcher in question, won $10,000 with a Cross-site scripting attack, I think he probably knows the difference

This is a flash attack, dealing with content ownership and poor security controls on flash's part. The end result can indeed be cross-site scripting, but that's not a requirement, and actionscript has different capabilities than javascript.

Re:Broken security model

[BerkeleyDude]

4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)

I'd call that the proper solution. JavaScript files are executable, too. Why don't they have the same vulnerabilities as SWFs? Because they run in the context of the page they're embedded in.

Re:Broken security model

[Alistair+Hutton]

Adobe's response is "Website's shouldn't serve untrusted data from a trusted domain". It's not exactly rocket science.

Re:Broken security model

[XSpud]

Of course it's for Adobe to fix. Flash has no business trying to execute content that the web server has said is image/gif or image/jpeg. It's similar to if a server sends out do_bad_stuff.c with a content type of text/plain - it's the client's problem if this gets compiled and run.

Though it may be good practice to scan through every file uploaded to a server, a web server should be able to rely on clients to correctly use the MIME type sent with the content.

Re:Broken security model

[julesh]

If you can write an SWF that can be executed to compromise a website, despite the fact that it looks like, acts like, and in fact is a valid MS Word document, I'd call that a problem.

You can, but the problem is that word is too trusting in what it accepts, and not caused by flash. The file will clearly have SWF headers at the start of it, and is thus easy to filter, and no _real_ word document should ever have that. It happens that MS Word will open it, but is that particularly relevant?

Re:Broken security model

[julesh]

This is not CSS. This is the same as allowing people to upload any javascript to your site and the embedding it in your webpage for users to run.

A more accurate analogy is allowing people to upload HTML pages and serving them unmodified whenever requested. No embedding is required.

Plus, it's worth noting that the only security violated here is _the security of the site that is hosting the file_. Sure, this could be a problem for social networking sites and the like, but it's not like they haven't had their share of similar javascript-related issues in the past. It's what happens when you put different user's own content all on the same domain, simply because the security model of browsers is not designed to cope with that.

Re:Broken security model

[julesh]

Of course it's for Adobe to fix. Flash has no business trying to execute content that the web server has said is image/gif or image/jpeg.

Right. Of course they can't fix that without breaking their plugin completely, because I bet you somewhere in the region of 50% of sites that serve flash use the wrong content type header for it. Nobody wants to release an upgrade that'll only serve to piss their users off, which is what such an upgrade would be.

Re:Broken security model

[julesh]

1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)

Yes, but doing so would break almost every existing flash deployment in existence. Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there, thus word would get out very quickly that they shouldn't upgrade, because the new version of flash is "broken".

2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.

Plausible, but bare in mind that through years upon years of flash not caring about content type, there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type. Because nothing complains about it, nobody will ever have fixed these. This isn't as serious for compatibility as suggestion 1, but the same outcome will still happen: users won't upgrade because the release will be generally labelled as "broken".

3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.

Will break all existing deployments. See problem of solution 1.

4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)

Will break existing deployments that rely on the current behaviour. This would, I believe, include embedded youtube videos. See problem of solution 1.

Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.

Note that it is the server administrators themselves that are vulnerable, not the users per se -- what can be broken by this is the security of those administrators' web sites. As such, it is better that _they_ have the burden of fixing this, rather than the users have the inconvenience of stuff not working right.

Re:Broken security model

There is no reason that a word document cannot have those headers. A MS OOXML .docx file is nothing but a zip archive full of stylesheets, markup and content.

A valid word file absolutely can have SWF headers at the start of the file, and still be valid.

You are essentially saying "Word documents should not be validated based on the word document standards, but on my arbitrary standards that prevent this specific issue." Would you have suggested checking for SWF headers before this issue was published?

Re:Broken security model

[Civil_Disobedient]

It's broken and needs to be fixed. The server just holds an infected item, like say a Gif.

Gmail lets me upload Microsoft .DOC files. DOC files can contain malicious ActiveX content. According to your awesome reasoning, Gmail is busted.

There's nothing wrong with servers letting their users upload their own content. The problem is if you then open that content to all users without any sanitation.

Sorry, but that's not Adobe's problem.

Re:Broken security model

[zevans]

You have my vote, but for a different reason. If we start over, we might get rid of Flash, and that would be a good thing in so many ways.

Re:Broken security model

[japonicus]

Adobe's plugin doesn't need to depend on what the file was served as (that's for the browser to do). However this is Adobe's problem. The flash plugin should be validating whatever is passed to it before executing it. It should refuse to execute a flash file that has any non-flash component appended (e.g. a flash executable disguised as a zip shouldn't run even if both the flash and zip parts are valid).

Re:Broken security model

[gnud]

The client (browser) is at fault if it "runs" something served as Content-Type: image/gif

Re:Broken security model

It may not be news to you, or the techie crowd, but it gives iphone users a warm fuzzy feeling to know that there missing out on this little problem. Slashdot isn't just for smelly asocial linux geeks!

Re:Broken security model

why don't you boycott the internet dude. ok, so you're not that likely to succeed, but at least you'll have tried (and we'll have one less irrelevant whining pathetic cunt to listen to around here!)

Re:Broken security model

[julesh]

Would you have suggested checking for SWF headers before this issue was published?

No. I would have suggested checking for zip file headers (0x04034b50 as a little-endian dword) at the start of the file. The zip file format specifies such headers, and it is only the fact that most zip processing software doesn't check for them that allows the prepending. If docx is defined as being a zip file, it should follow all the rules for such a file.

Re:Broken security model

[julesh]

Adobe's plugin doesn't need to depend on what the file was served as (that's for the browser to do). However this is Adobe's problem. The flash plugin should be validating whatever is passed to it before executing it. It should refuse to execute a flash file that has any non-flash component appended (e.g. a flash executable disguised as a zip shouldn't run even if both the flash and zip parts are valid).

The problem is that it can't tell that until the file is completely downloaded, but flash is a streaming format (i.e. it starts executing while it is still downloading). What you're asking is a technical impossibility.

Re:Broken security model

[julesh]

There is no reason that a word document cannot have those headers. A MS OOXML .docx file is nothing but a zip archive full of stylesheets, markup and content.

A valid word file absolutely can have SWF headers at the start of the file, and still be valid.

A valid zip archive starts with the bytes 50 4b 03 04 hex. Anything expecting a docx file should be checking they are present.

You are essentially saying "Word documents should not be validated based on the word document standards, but on my arbitrary standards that prevent this specific issue."

The word document standards say it's a zip file. The zip file standards say the zip file starts with the local file header, which starts with the above bytes. The standard is not in the slightest arbitrary. The problem is that implementations are too lax and accept files that do not conform to the published standards.

Warning - 2nd link points to a FLASH AD

[tomhudson]

Kind of ironic that an article that warns about flash vulnerabilities as:

1. A flash interstitial ad
2. A page loaded with flash

Oh, wait - it's ComputerWorld. Sorry, I had my expectations too high.

Re:Warning - 2nd link points to a FLASH AD

IRONY DOES NOT WORK THAT WAY

Say it ain't so o o o

[socz]

While I love flash, because I've been working with it for so many years (go ActionScript!) I have seen many things it can do. Unfortunately, most people don't take it seriously. While the issue's only come up after a vulnerability has been used, I've been telling people about the awesome power of AS. Because flash allows for so much, I honestly don't know how you can lock it down. But on the plus side, I don't use flash/AS in a conventional manner, so most of the ways I would be able to (ab)use it is not really in reach for most people because they wouldn't even think of the possibilities that flash can do! So security through obscurity I guess would be the best way to say it.

Client.

[XanC]

It's not a problem for Web sites, except for their users that run crappy software (ie Flash).

Re:Client.

[amicusNYCL]

It's not a problem for Web sites, except for their users that run crappy software (ie Flash).

That's exactly right. In other words, this only affects 99% of web users. Clearly a non-issue, and I praise your insight for pointing this out.

also risk of d/l .bat / .pl ! ban mimetypes now!

n/t

We need to move beyond Flash

[ClosedSource]

so we can have malware based on open standards.

the article is bullshit.

[tomhudson]

Example from the article:

"All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Since when are you going to allow someone to upload an swf for an avatar. It's going to get creamed when you resize it via php anyway.

This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.

In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.

What next - "All Windows Versions of Apache Vulnerable To .EXE Exploit" - where they'll say that if you allow people to upload .exe files to your site and blindly execute them, BAD THINGS (TM) will happen?

This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.

Re:the article is bullshit.

Didn't really read the article, did you?

Uploading the swf as an avatar is just the beginning. You can also overload ZIP files, which also includes .docx, making perfectly legal documents that also are executable flash objects. Also, many server-side validation libraries apparently will also not catch properly malformed (if such a thing is possible) pdfs, mp3s, etc.

Ironically, all that email antivirus that require you to zip up your files does no good here... a overloaded zip file can be used to compromise webmail clients (like gmail, as in the example).

Flash's security policy is severely broken. I'd call this a pretty big deal.

Re:the article is bullshit.

[aztracker1]

There you go, throwing logic at the discussion...

Re:the article is bullshit.

[afidel]

gmail doesn't allow zip attachments for this and so many other reasons.

Re:the article is bullshit.

[Enleth]

You, sir, are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award. Here's why, a quote from TFA:

It gets worse. Uploading a SWF with a .jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content? Remember GIFAR? The basic premise is this: Overload a GIF file with a JAR archive. Specifically, the ZIP file format can be appended to any binary file and still be valid. The GIF format, in turn, can have any binary file appended to it. The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive. While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it. This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs. Additionally, if you don't care too much about compliance with standards (and what attacker does?), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much. This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.

Short of rewriting everything that has anything to do with several popular formats, you're out of luck.

How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes, I'm sure that any self-respecting blackhat hacker will as well.

Re:the article is bullshit.

Wait, what?

Maybe the web site wants to compromise its users. Then what? You know, like a hacked or malicious web site.

Re:the article is bullshit.

gmail doesn't allow zip attachments for this and so many other reasons.

not so gmail accepts and sends .zip it just does not automatically load files and requires user input to download the attachment!

Re:the article is bullshit.

Does that actually mean the zip or docx would be executed in your browser or on the server itself?

Re:the article is bullshit.

[Orne]

So let met get this straight, a bunch of sites allow uploading of image files without checking the magic numbers to make sure they actually are static image files they say they are, then they display them... and if they are SWF in the browser, there's a bug in SWF that allows malicious code to execute, but the bug is not caught because the file is not really a SWF ?

Re:the article is bullshit.

[afidel]

That's a change, you used to have to change the extension to .zap or something else.

Re:the article is bullshit.

[Enleth]

No. Read the quote again.

A malicious Flash payload can be smuggled in an image that looks absolutely harmless for MIME checking libraries. The magic number is there, as are the headers and sometimes even the actual image data that produces an actual image. I'm not familiar with the details of GIF and JPEG payloading, but I've read that clever techniques exist for producing images that can be even read by ImageMagick and similar libraries, for example to produce thumbnails. The thumbnail will not carry the payload, of course, but image hosting sites often save the original full sized image as it is, to avoid degrading it with further compression. This effectively means that an image could be prepared that will upload and display just fine even when thumbnail generation and MIME checking is employed.

There is one effective defense, though - serving user-uploaded content from a dedicated domain that contains absolutely nothing but static files. I'm glad that my website is doing that for a long time already, originally for my convinience of being able to move the files to a different server with only a single rsync call and a DNS record change, but it's paying off in other areas as well.

Re:the article is bullshit.

[MichaelSmith]

Ha! One company I deal with for work you have to PGP encrypt your file, ASCII amour the output and strip off the header and footer so you are sending the raw data. Thats the only way to get an attachment into an email for their system. Anything uu or base64 encoded it will crack and if it sees anything at all apart from random data the message gets eaten.

Re:the article is bullshit.

Agreed. The malicious avatar seems an unrealistic example. I don't see flash running in the webpage outside of an object/embed tag - the author seems to imply the you just upload an swf disguised as an image and away you go. The use of the flash avatar virtually needs to be sanctioned by site not stripping out object/embed in whatever sanitization they are using.

Re:the article is bullshit.

Ok... so you put an SWF in a Zip/mp3/pdf etc, you still need to make the flash plug-in execute it...
It's got the magic bits of the container format (PK), not an SWF (CWS).

Re:the article is bullshit.

[mysidia]

Are you sure you're not thinking of .EXEs? As far as I know gmail always allowed .zip files to be attached, but not .exe files...

Re:the article is bullshit.

[Khyber]

I have never needed to redo a file extension in gmail, and I started when it was still a closed beta. I uploaded all of quake 1 in a ZIP file to a friend when the service barely had 2,000 users.

Re:the article is bullshit.

[Mr2001]

You can't attach a .zip file that contains an .exe, either. As a programmer working remotely, I have to send ".rename-to-zip" attachments all the time because of this.

Re:the article is bullshit.

[characterZer0]

If it is a valid image, will not the browser display it as an image using the image rendering component? How is the flash portion going to be executing in the flash player?

Re:the article is bullshit.

[totally+bogus+dude]

You don't put the SWF inside the ZIP, you put it before the ZIP. The Flash player will see the SWF bit and ignore the stuff that follows it, while things looking for ZIP data will skip through the SWF and start their processing from the actual ZIP content.

Re:the article is bullshit.

[tomhudson]

I read the article, and I agree with Adobe for once. This is TOTAL bullshit. Anyone who is stupid enough to code an app to fall for this should be fired immediately. This is on the same juvenile level as using javascript to validate data client-side. IOW, 1995 called and wants their "vulnerability" back.

Anti-viruses? Go play with a real operating system for a decade or two.

Sheesh, kids these days ... *grumble grumble*

Re:the article is bullshit.

[FlyingBishop]

Slashdot really needs an appallingly ignorant mod. Or maybe just an RTFA.

Re:the article is bullshit.

[sowth]

I would suppose that the flash code could be put in the comment section. Then most programs would copy it as they try to preserve comments. There are other types of sections for jpeg files too, as I recall.

Is there a binary pattern one can search to detect possible flash code? It would probably be something to put in your CGI script to receive files...

Re:the article is bullshit.

[tomhudson]

The article is bullshit, and your comment is also misinformed. Read what you wrote after the stuff you quoted:

Short of rewriting everything that has anything to do with several popular formats, you're out of luck

The very first rule is "be restrictive in what you allow."

Anyone uploading an swf with a jpg extension is going to find that they're fucked on anything I'd write, simply because when I call code to resize it and convert it to a png, the swf is going to get really mangled, isn't it ... so your renaming "sploit" isn't going to work.

This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs

If it's not running on the server, and it's not running in the client browser, I don't give a shit what it contains - it's not my problem, and it doesn't affect what I'm doing. I'm not going to use jars from joe q public in my code, it'll be a cold day in hell when I use MSOOXML, xpi files suck, and I'm certainly not going to take an untrusted zip file, unzip it, and use it. And the stuff you quote agrees with me:

the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.

Only an idiot trusts crap uploaded by the general public.

How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes (sic), I'm sure that any self-respecting blackhat hacker will as well.

The source is irrelevant - the simple fact is that if you trust end-user-supplied data, you're either on drugs, or you should be. BTW - Your statement "worm that intercepts uploads in the browser" doesn't even parse. Go back to your bong.

Re:the article is bullshit.

[mysidia]

You can ZIP the .exe and then embed the .zip in a Microsoft Office Document file as an embedded object, and Gmail will accept, or at least it used to.

You can also use a .RAR, rename the .ZIP to a .ZIPP

Or use COMPRESS or cabutil to deflate the .EXE into a .EX_ or .CAB

Re:the article is bullshit.

Wow, that's a lot of arrogance for just one post.

Re:the article is bullshit.

[maxume]

Since when?

Re:the article is bullshit.

[tomhudson]

... except that the file should be handled as either an swf or a zip - if the browser handles it as both, for any reason, then it's the browser implementation that is broken.

For example, if the browser says "all files that end in ".zip" , I'll do "x" with them, AND says "all files that have a header that begins with the magic number for an swf, I'll do "y" with them, so that you cat the swf and the zip and you can end up running both plugins, it's a broken browser.

To illustrate:

BAD:

if_file_has_swf_header() {code}
if_file_has_zip_ext() {code}

A file with an swf header and a zip extension runs both pieces of code. Bad programmer. BAD programmer. No treat for you!

GOOD:

#define IS_SWF 0x01;
#define IS_ZIP 0x02;
#define IS_DOC 0x04;

FILE_TYPE_MASK tile_type_mask = 0x00;
if_file_has_swf_header( file_type_mask += IS_SWF);
if_file_has_zip_ext() {file_type_mask +=IS_ZIP};
if_file_has_doc_ext() {file_type_mask +=IS_DOC};
// at this point, the invalid file sets the mask to 0x03, (both swf and zip bits set)
switch (file_type_mask) {
case IS_SWF: some code; break;
case IS_ZIP: some code; break;
case IS_DOC: some code; break;
default: unknown_or_corrupt_file();
}
// since file_type_mask doesn't match any of the valid values, it calls the unknown_or_corrupt_file() routine.

In the second example, your file is completely ignored, because it has more than one bit in the mask set, It isn't recognized as a valid swf, and it isn't recognized as a valid zip. The browser doesn't try to load it in the flash plugin, and doesn't try to display the zipped contents either.

All code should have one execution path or "choke point" for stuff like this. If your code doesn't, it's an indication that you need to refactor. If you have a waterfall of if statements, you have a logic fart waiting to stink up the place.

Re:the article is bullshit.

[totally+bogus+dude]

It doesn't quite work like that. Most browsers don't look at magic bytes to try to guess the content of a file, nor do they look at the file extension (since there's no need for anything on the web to actually have a file extension at all); the content-type header is sent by the server for that purpose. (Internet Explorer is one exception to the "most browsers" rule.).

If you click on a link to a .zip file with SWF at the start, the server will (probably) say it's content-type is application/zip or similar, and the browser will do whatever it's configured to do for that kind of content. If the server says its content-type is image/jpeg, the browser will try to interpret it as a JPEG image (and probably fail, resulting in an error being displayed). The browser doesn't try to guess what the content is (unless it's MSIE).

However, you don't normally run a Flash object by clicking on a link to it. When you link to/embed an external resource within HTML, you can specify the content-type within the HTML. Think <link rel="stylesheet" href="..." type="text/css"> for including a stylesheet. This tells the browser not just where it is, but also what it is. This effectively overrides whatever content-type the server sends. It's very often used with <object> or <embed> tags to give the browser an idea of what the object is so it knows whether or not it can handle it before it requests it. It also enables you to put content on servers which don't have a mime-type configured for that file extension and still have them work.

As such, you can embed in a Flash object into a page, referencing an object with a .zip extension, and the browser will ignore the content-type as supplied by the server because it's already been told that it's a Flash object. Therefore, it'll be executed by the Flash plugin. If you also had a normal direct link to the file on the same page and a user clicked on it, it'd be opened in their archive manager, because the browser would be relying on the content-type header sent by the server.

Re:the article is bullshit.

Eh. most of the mods are appallingly ignorant already.

Re:the article is bullshit.

[XSpud]

However, you don't normally run a Flash object by clicking on a link to it. When you link to/embed an external resource within HTML, you can specify the content-type within the HTML. Think <link rel="stylesheet" href="..." type="text/css"> for including a stylesheet. This tells the browser not just where it is, but also what it is. This effectively overrides whatever content-type the server sends. It's very often used with <object> or <embed> tags to give the browser an idea of what the object is so it knows whether or not it can handle it before it requests it. It also enables you to put content on servers which don't have a mime-type configured for that file extension and still have them work.

If Flash is using the type attribute to override the content type returned by the server then it's broken:

"If the value of this attribute differs from the HTTP Content-Type returned by the server when the object is retrieved, the HTTP Content-Type takes precedence." from http://www.w3.org/TR/html4/struct/objects.html#adef-type-OBJECT

Also the real purpose of the attribute is to prevent unnecessary downloads of content that user agents may not support, not to indicate how content should be processed after it's downloaded.

Re:the article is bullshit.

[spongman]

you're misinformed. the only defense is to use a separate domain. every operating system that can run flash is vulnerable. maybe none of those are 'real' in your eyes, but i think that says more about you than anything...

Re:the article is bullshit.

[eulernet]

Flash's security policy is severely broken.

Nope, Flash's security policy is not broken, since it never existed.

Re:the article is bullshit.

But in order for this to be exploitable by the user who uploaded the SWF-disguised-as-a-gif would also have to be able to override the content type by modifying the HTML? How common is it that sites allows *that*?

Re:the article is bullshit.

All browsers do content sniffing now -- apparently it's too difficult for server admins to configure MIME types. So in the example of an overloaded GIF, the browser sniffs the swf header and loads the flash plugin.

Re:the article is bullshit.

Another unnecessary download is the browser downloading the SWF file, which it has no use for anyway. Thus, it won't see the content-type from the server.

Once the browser sees the embed tag, it knows to fire up the Flash plugin. The plugin will then download the SWF file, but doesn't check the content type (it can be argued that this is part of the problem). Why? Because the Flash plugin doesn't care about content types, it only does one thing - play SWF files. Even if the content-type says "Application/MS-Word", it doesn't care. The Flash plugin doesn't have any ability to show Word documents. Either it's playable - and thus a valid SWF file, or it's not.

Re:the article is bullshit.

When the EMBED / OBJECT tag (on a page on a completely different site) tells the browser to point the Flash plugin at said file, it will. The flash plugin will then download the file without checking the content-type header, and execute it as a SWF file.

Since the Flash plugin only knows SWF files, it doesn't care about content-type. Either it's a valid SWF file, or it isn't.

Re:the article is bullshit.

[Civil_Disobedient]

Uh, yes they do. Actually.

Re:the article is bullshit.

[mujadaddy]

You might be thinking of Yahoo! email. I've sent many a .piz through Yahoo...

Re:the article is bullshit.

[TheRaven64]

Zip files, unlike most other file types, are identified by the data at the end, not the start. This is to permit self-extracting zip files, which are an unzip program concatenated with a zip file that can be run by operating systems (which check the first couple of bytes) and opened by unzip utilities. To check that a zip file isn't an SWF file you need to check that it doesn't start with a SWF file header. If you're doing that, then you also need to check that it doesn't start with any other sort of file header that might be malicious. A better solution is for the client only to accept things as flash that the server thinks are flash and serves with the correct MIME type for flash.

Re:the article is bullshit.

[EndlessNameless]

//Only an idiot trusts crap uploaded by the general public.//
 
Some sites by their nature rely on user-supplied content. Facebook, photography enthusiasts, and community blogs all accept files from one user and make them available to another (which is essentially all the site must do in order to bu vulnerable).
 
In many cases, you can process whatever they send you, but there may be cases where you cannot reencode images, covert document formats, or alter/filter/forbid their files. (Whatever the reason---whether it's a matter of legality, policy, or user expectations.) Or you may simply be hosting files.
 
Making a user-supplied file available via HTTP is all that you need in order to be exploited. While you may not need to do this, there are legitimate cases where others do.
 
Ultimately, scanning inbound files for the bits that the Flash plugin uses to identify valid SWF files and removing them should remediate the vulnerability completely---but this shouldn't be necessary because Adobe should have an effective security model.

Re:the article is bullshit.

[DavidTC]

Via someone in another page calling it using <embed>.

Even if said page is on another domain, the flash executes in the context of the domain it's hosted on.

Which means it can interact with that domain however it wants.

I'm still slightly confused as to what the problem is supposed to be, though. Yeah, a flash object can interact with my domain if someone puts it in an avatar image or something...and?

Re:the article is bullshit.

[colfer]

How about this fix for processing uploads:

1. If the file is jpeg, use
jpegtran -copy none "$from" "$to"
That will have the benefit of also removing any cruft, like camera model or author. Sufficient even if there is no comment? In other words, will it strip any payload?

2. For non-jpegs, use imagemagick to convert to PNG:
convert "$from" -flatten "$to.jpg"
Is that sufficient, even if $from is a png? The -flatten will take care of any animated GIF.

Both "jpegtran" and "convert" are pretty standard on Linux setups I think. Jpegtran re-saves a jpeg without loss.

Are the some some other command options that would be advisable?

Re:the article is bullshit.

[colfer]

Correction, of course it's:
convert "$from" -flatten "$to.png"

Re:the article is bullshit.

[deananderson]

The point about not clicking on the content is good but irrelevant to antivirus scanning. Anything that embeds a suitably powerful scripting language is going to be subject to malware in the scripts. PDF's and MS Word, MS Excel files are prime examples. You can't fix this by changing the player, reader, or MS Word programs, except by turning off the script language. It really has to be fixed by anti-virus and malware detection.

Re:the article is bullshit.

[tomhudson]

As I posted elsewhere, the problem is with the browsers. A browser should consistently employ only one technique to decide what type of plugin to run, and it should not allow a file to be mis-identified as two different types of files by using two different validation routines. Cod that allows a file to be identified as an swf in one execution path should not mis-identify the file as a jpg in another path.

Re:the article is bullshit.

[tomhudson]

the server will (probably) say it's content-type is application/zip or similar, and the browser will do whatever it's configured to do for that kind of content.

... and this is broken. Just like the server should not blindly trust user-generated content, the browser should not blindly trust server-generated content. There's no need - it's just sloppy. Just like it shouldn't blindly trust the content-length information and sit there forever if it's wrong - or worse, set a buffer to that size+1 terminating null byte, and then, if the server sends more than the header specified, generate a nice buffer overrun. Or use a buffer underrun to grab data that's sitting in memory.

Re:the article is bullshit.

[tomhudson]

The proper "defense" is to have browsers that don't naively handle content served to them. In other words, just because the server says the content-type is image/jpg doesn't mean the browser should blindly trust it. Same as it shouldn't trust content-length if you want to avoid buffer over/under-runs. A separate domain won't help - an underrun lets me steal the previous contents of the portion of the buffer I haven't written over, so the domain is a non-issue. And an overrun - well, "BAD THINGS(TM)" time.

Browsers should no more trust server data than the server should trust data from the browser.

And everyone already knows "FLASH IS EVIL(TM)" :-)

NEWS FLASH: Web sites need to screen uploads

This is ridiculous. If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy. All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.

Of course there's no easy fix apart from web sites being sensible in what they upload -- just like anyone with a clue doesn't let users submit comments with tags in them.

Re:NEWS FLASH: Web sites need to screen uploads

[John+Whitley]

Actually, if you'd bothered to RTFA (I know, I know) the author gives concrete examples of where the SWF payload can be embedded in a swath of other media types and still successfully be used as an attack vector. It's a more complex problem than just serving user-generated SWF files.

Re:NEWS FLASH: Web sites need to screen uploads

whence mimetypes, idiot!

rm -rf ~

why is your $HOME still there?

Re:NEWS FLASH: Web sites need to screen uploads

[smash]

AC needs modding up...

Re:NEWS FLASH: Web sites need to screen uploads

A javascript file won't execute in the context of the domain that it's served from- it executes in the context of an html page. If you upload an HTML page, your example stands.

However, flash files don't need a .swf extension to execute, and the attacker can place executable swfs in many valid file formats. Uploading a malicious SWF is a lot easier than a malicious HTML page.

Re:NEWS FLASH: Web sites need to screen uploads

From TFA, which I did read:

"if I can convince a server to serve up a file on my behalf, I can use that file to attack the server" -- this is not news.

They then go on to talk about GIFAR, but who lets a user upload anything and then embed it as if it were a Flash object (even if it looks like a GIF/ZIP/whatever)? You still need to be letting users embed content on your site that is processed by a plugin that provides an executable environment, which clearly is a bad idea.

Re:NEWS FLASH: Web sites need to screen uploads

[thePowerOfGrayskull]

But this isn't just SWF payload - any kind of payload can be embedded in the same way, and carry the same risks. In addition, unless I'm missing something, the flash content is limited to accessing things owned by that domain, and stored on the client computer by that domain (maybe even within flash itself? not sure?) . Which means - unless a server is particularly stupid about what it keeps on teh client - that the damage it can do is fairly limited, doesn't it?

Re:NEWS FLASH: Web sites need to screen uploads

The embedding need not happen on the victim site. That can happen anywhere. Once uploaded, the embedded object still thinks it's living on the victim site.

Re:NEWS FLASH: Web sites need to screen uploads

[pizzap]

This is ridiculous. If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy. All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.

1. You upload the javascript after the binary of a gif file and it gets executed anyways?
2. You create a special link to do that on your attackers page and the javascript executes within the targeted sites domain of origin?

No, javascript doesn't do either, but Flash/Actionscript does:

A Flash object can only access content from the domain it originated from. [...] A flash object does not need to be injected into a web page to execute- simply loading the content is enough. [...] If I can get a Flash object onto your server, I can execute scripts in the context of your domain

Re:NEWS FLASH: Web sites need to screen uploads

[drew]

You missed the point. Flash is not equally bad as JavaScript, it's far worse.

Suppose I'm an attacker, and I upload a malicious javascript file to www.victimsite.example. I then reference it in a site I control www.seemingly-innocuous.example, the javascript file runs in the www.seemingly-innocuous.example domain sandbox. Even though the file was loaded from www.victimsite.example, it can't actually access anything on the victim's site. In order for that to happen I would have to also upload a malicious html document to www.victimsite.example, and convince unwary surfers to visit this new page.

Now I decide to switch to flash. I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example. Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.

It is a big deal, and it is nothing at all like JavaScript. But it's also not remotely new. I'm having a hard time finding anything in this article that hasn't been widely know for some time now. It even mentions attacks that have been going on for years.

Re:NEWS FLASH: Web sites need to screen uploads

[Civil_Disobedient]

It's a more complex problem than just serving user-generated SWF files.

Blinding serving user-generated content is precisely the problem.

As a developer, I'd rather be responsible for sanitizing data than Adobe implementing a half-assed work-around to satisfy the internet ninnies that don't understand that you can't trust your users.

Re:NEWS FLASH: Web sites need to screen uploads

[Civil_Disobedient]

Suppose I'm an attacker, and I upload a malicious javascript file to www.victimsite.example. I then reference it in a site I control www.seemingly-innocuous.example

Ah, well there's your problem. Suppose I upload an infected EXE, and then I link to it in another website. In the grand scope of "things I should worry about," the fact that bad-EXE runs with the security credentials of other site should be the least of my concerns.

Any user content that can be publicly served should be automatically suspect.

Re:NEWS FLASH: Web sites need to screen uploads

You are correct with the following statement:

I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example. Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.

But, and this is a huge BUT, only if the two domains are configured to allow cross sandbox communications with a crossdomain.xml file. Flash can only access content on its own domain and sandbox, if you've created a crossdomain.xml policy file that allows script access between the two domains then this will happen. Otherwise www.seemingly-innocuous.example is trouble free.

Re:NEWS FLASH: Web sites need to screen uploads

[drew]

The point wasn't that the seemingly innocuous domain could be attacked with this method. What I was trying to point out is that the seemingly innocuous web site could be used as a vector for an attack on the victim site.

As I explained, the difference between JavaScript and Flash is what they consider to be "its own domain". JavaScript considers its own domain to be the domain of the page it's running in. Flash considers its own domain to be the domain the flash object is served from. It doesn't seem like it should be a big difference, but it is. Let me flesh out my example a bit more.

Suppose you have an account on the victim site. Suppose you are also a semi frequent visitor of the seemingly innocuous site that I host. If I want to steal your account on the victim site, and the victim site allows arbitrary file uploads, I can upload a flash movie to the victim site. The next time you visit my site, I embed the movie, hosted on the victim site, somewhere in my site that you can't see it. Because Flash considers the victim site to be in its own domain, it is free to contact the victim site however it wants without checking the contents of the crossdomain.xml file. I have just been able to compromise your account without you noticing, and without convincing you to do anything you wouldn't normally do. Performing the same attack with JavaScript, without having to engineer you into visiting a page you don't normally visit on the victim site, would be a much more difficult proposition.

The vulnerability

[Stan+Vassilev]

The vulnerability is not new at all. It's been known for probably coupe of years now. If a site accepts file uploads, in some cases even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippet (the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed). Flash can be pointed to that snippet and it will blindly accept it as the security policy for that domain/folder.

The security implications are that even if the site doesn't use Flash itself, a user opening a third party site with Flash could read from the site with the faulty policy.

Say Facebook is vulnerable to this problem (likely it is), and you're logged in. Opening another site will allow Flash on that third party site to read your Facebook details, as it has access to anything you do.

This problem was introduced sometimes Flash 7-8 (I forget) when an ability was added for Flash to read policy files from a custom URL. Prios to that, the only valid location was www.example.com/crossdomain.xml, which is, of course far simpler to lock down and secure. The bottom line is, they can fix this in a number of ways, but not in a backwards compatible manner. For the moment they simply seems to have their bets that people don't care enough about this problem to warrant the effort.

Re:The vulnerability

That is not the same vulnerability at all, although it is related. In this case, the swf itself is being uploaded to the target domain, not merely a policy xml file.

Re:The vulnerability

[RAMMS+EIN]

Seems to me there _is_ an easy fix: disable that behavior by default (why would you want it, anyway?). Then, for sites that are broken by it, allow it to be selectively enabled.

Of course, the fact that Adobe isn't fixing it and we aren't allowed to fix it nicely illustrates why having the whole world depend on a piece of proprietary software is a bad idea at least from a security point of view.

Re:The vulnerability

[ArsenneLupin]

even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippet

Unless the comments are served as text/plain and included in an iframe (unlikelyly complex...), any xml tag included would be html escaped, and thus rendered ineffective. <policy> would become &lt;policy&gt; and lose any special power it had.

If on the other hand, comments were not html-escaped, while still being served as text/html, the web site would have bigger issues than this flash vulnerability, as anybody could just include javascript instead.

(the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed)

Hmm, if a prefix to the XML snippet was ignored, and the suffix too, then image uploads might become vulnerable (most sites don't re-encode uploaded images, and probably none scan the binaries for byte-sequences that happen to look like valid xml...).

Re:The vulnerability

[spinkham]

Adobe does have a fix for this behavoir, and it's Flash Meta Policies.
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html

Of course, they're only available to flash 9 and 10, but the people running Flash 8 still have worse security problems to worry about.

Re:The vulnerability

I believe that what you're describing is not what the article is about. However, it is an interesting vulnerability. More appears to be here: http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html

yeah, but it is hidden in non-code Re:Foreign code

[j-stroy]

TFA points out that the flash code can be pre-pended to the entire .zip family, and more.

It is executable code that doesn't look like it is code. That in a nutshell is the problem, aside from the pt of origin of that code being obfuscated.

Another reason to browse inside a VM. btw, anyone know if any browsers can internally handle parallel authentications (ie a virtual browser)?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Flashblock

[Spatial]

Use it.

Re:Flashblock

[MBCook]

No kidding. ClickToFlash is the equivalent for Safari on OS X. The web is so much nicer when you get to chose to display Flash content.

Re:Flashblock

[RiotingPacifist]

Flashblock doesn't keep you safe, Flashblock can be tricked by altering file extension and IIRC it can also be tricked by object tags.
AFAIK noscript is the only addon that will block flash in a secure way, but IMO it too much of a PITA to use.

Re:Flashblock

Why?

So Adobe says...

"Oops! We found security issues with our software and we plan to do absolute dick about it. The problem is now on everyone else's hands." *shit eating grin*

If Adobe doesn't pick uo it's pace

[geekoid]

they will be devoured by silverlight.

It's times like this...

[KillShill]

I'm glad that 64-bit Firefox doesn't have a flash plugin.

Re:It's times like this...

[dlgeek]

Adobe 64 bit flash plugin pre-release. Came out like a year ago.

Re:It's times like this...

[kernelfoobar]

I'm glad that 64-bit Firefox doesn't have a flash plugin.

Really? http://labs.adobe.com/technologies/flashplayer10/faq.html

It's in Alpha but works fine with Fedora 10 and 11. Also works well in CentOS/RHEL 5, rpmforge even has it in the repo:

http://packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86_64.rpm

Oh, your must be using "The OS" (TM) or "The Other OS" (TM)(C), then yeah, your right it doesn't exist and you have my sympathy.

Sorry for the sarcastic tone, I'm just feeling like it right now.

Why does a login form need CSRF protection?

[YA_Python_dev]

Back on topic: according to TFA Google added protection from CSRF attacks to their login form. But why is this necessary? AFAIK login forms with passwords aren't vulnerable to this attack unless the user gives their password to the attacker's site.

I ask because on my website I have CSRF protection for all forms except logins and I wasn't able to find specific information about security problems with my approach with a Google search.

Re:Why does a login form need CSRF protection?

[Lobster+Quadrille]

In this case, it was used to log the user into the attacker's account, which contained the malicious SWF uploaded as an attachment. If the user then logged into gmail (the video uses a registration email to prompt the user to do so), his account would be compromised.

In Gmail's case, there are other privacy consequences to the login CSRF. For example, if the user is logged into an account that I have access to, I can actually view his google search history.

What the...

[thePowerOfGrayskull]

Instead, Arkin added, Adobe has tried to get the word out to Web application designers and site administrators about the danger of allowing users to upload content. "Sites should not allow user uploads to a trusted domain," Arkin argued. "The real issue here is that developers should be cautious about using techniques that can be misused maliciously. In general, this is a general challenge in managing active content."

Arkin is from Adobe. And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files. Period. (Not through Flash, but all file uploading .) That's a spectacular answer.

On the other hand... I kind of understand where he's comign from. If you let your users upload content unchecked, and serve that content up, you are potentially giving some level of access to client machines. In this case, it seems somewhat minimal? I'm not familiar with actionscript, but you don't get free reign to the user's machien do you? Only content specifically store under the domain of the owning server, in the context of Flash?

Re:What the...

[Tacvek]

He said don't allow uploads to trusted domains. If you want users to upload, they should be uploading to a separate domain. For example my-social-networking-site.com should host uploaded files at MSNS-files.com, or something like that. Being able to execute scripts in the context of MSNS-files.com would be worthless, while executing in the context of my-social-networking-site.com is very valuable.

Re:What the...

[NatasRevol]

Not if my wife's nudie pictures are on MSNS-files.com!!

Re:What the...

[WuphonsReach]

Well, see, here's where things are going to get difficult.

Once we see the TLD explosion occur in a few years where instead of www.ebay.com, eBay just buys up a .ebay TLD, what defines a "domain"? Right now, it seems like Adobe's origin policy needs to be more specific about what is in the same domain or not. Or is eBay going to have to buy .ebay as well as .ebay-files?

Maybe the default needs to be "loaded from the same server" instead of "loaded from this domain or any sub-domain".

Re:What the...

[Civil_Disobedient]

And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files. Period. (Not through Flash, but all file uploading .) That's a spectacular answer.

A spectacularly stupid answer. If the only person able to view that content is the user that uploaded the file in the first place, the only attack vector is the initial perpetrator. If, on the other hand, a website blindly allows user content to be served to the world without sanitizing it beforehand, well... all bets are off.

Nothing to see here, move along.

Re:What the...

[thePowerOfGrayskull]

Maybe I'm just being dense, but I still see this as very limited. Unless those scripts can somehow access server-side data - perhaps using your cached site authorization?

Re:What the...

[thePowerOfGrayskull]

Indeed; it just seems like this is not a Flash issue, but a domain-level authorization issue: when you have a security model that relies only on originating domain, you're bound to get them. So0meone implant a malicious javascript file the same way, and get access to the same things that the Flash app could get.

Re:What the...

Fun thing to note: The Gmail exploit in TFA uses SWFs that are only available to the attacker's profile. The solution? Use a CSRF hole to log the user into the attacker's account, load the SWF, and then log him back out.

If your content is truly only available to one user, you're correct, but web attacks stack nicely.

Re:What the...

[Tacvek]

The idea of this attack is I upload a GIF to facebook that is also an SWF, and you visit my site where I have an SWF that embed that GIF as an embedded SWF.

The SWF of that GIF can now access/manipulate the content of any browser cookies from this site, and pull content from any URL of that site. So cached credentials are a definite concern. The embedded SWF can pass any gathered information to the host SWF, which could for example HTTP POST the retrieved data to some page on my site. So basically, using the cached credentials, I have effectively full access to your account allowing me to scrape all the data from your profile, friends lists, friends profiles, etc, and could even post links to pornography on your wall in an attempt to get your account banned, etc.

Web browsers give plug-ins full access to cookies, and the ability to requested any URL through the browser's retrieval mechanism. The browser relies on the plug-in to provide security against cross-site attacks. Flash's security model fails badly. IF Adobe does not patch Flash then we have a real problem. Browsers could mitigate the attack by restring the access they give plugins, but this would add significant complexity. Otherwise you are only safe if you use flashblock, or don't have Flash installed at all.

*raises hand*

OK, can we get rid of Flash now?

No? Alright then, just asking.

Easy solution...

[argent]

Implement flashblock in the flash plugin itself, so that users have to explicitly request flash content be run, even if it's packaged in a way that manages to slip by flashblock.

Re:Easy solution...

[moonbender]

Shouldn't this be relatively easy to implement as a wrapper plugin? Instead of having an extension that blocks flash, have a plugin that handles flash. On initial load, it doesn't run the real Flash plugin, displaying a message instead. When clicked, Flash is executed and the plugin interface acts as a pass-through.

Re:Easy solution...

[argent]

That's basically what Flashblock is supposed to be doing, but it doesn't seem to grok all the cases where the Flash plugin would go "OH HAI! UR FLASH! IMA RUN U NOW!"

Re:Easy solution...

[moonbender]

I know, but I AFAIK Flashblock is implemented as an extension. As a wrapper plugin, the browser would have no need to know of the real Flash plugin itself, and there would be no way around Flashblock.

Uploading a swf with a jpg extension?

[FsG]

There's one thing I don't understand from the article.. how can this be triggered through files with other extensions that are served with a proper content type? I mean, let's say you have a phpBB3 (with attachments enabled) forum and some guy uploads a jpg. It's actually a swf in disguise, but phpBB's own checks miss that. Then it's served back to a user with a jpg extension and a jpeg content-type.

According to the article, the SWF can still be executed under these circumstances, but that seems implausible to me. I would think that the browser would simply invoke the jpeg handler, fail to parse the image data, and throw an error.

Re:Uploading a swf with a jpg extension?

[kipin]

According to the article, the SWF can still be executed under these circumstances, but that seems implausible to me. I would think that the browser would simply invoke the jpeg handler, fail to parse the image data, and throw an error.

I don't know if gif/jpeg rules are the same. But you can upload a GIF as a JPEG, and it will still render as a GIF, even though the file is itself JPEG. In fact, even some free image hosting sites exploit this "vulnerability". If you upload a GIF to tinypic, it will rename the file and place the .jpg extension after it.

Firefox and IE seem to have no problem deciphering this so I doubt it is something that the browsers specifically disallow.

Re:Uploading a swf with a jpg extension?

[Lobster+Quadrille]

You'd think so, but you'd be wrong. Embedded content can specify the content-type in HTML (in order for the browser to know what plugin to use to load that content), and Flash trusts that declaration, not the content-type supplied by the server. A properly-designed plugin should trust the server, not the HTML that calls it.

Re:Uploading a swf with a jpg extension?

[FsG]

Correct.. browsers use the MIME type sent by the server, rather than the file extension, to decide which parser to invoke.

So if you have an upload facility, all you have to do is be sure that you're using the jpeg MIME type for jpegs and the gif MIME types for gifs.. it shouldn't matter if the actual bits of the file are an image, an SWF, or even an EXE.. the browser should be invoking the handler that corresponds to the MIME type, not examining the bits of the file to try to guess what it is.

It really looks like the article is overstating things when it claims that forged files can be used with this flash vulnerability.

Re:Uploading a swf with a jpg extension?

[QuoteMstr]

Configuring a web server to send the correct content-type header would take all of five minutes. Clearly, Adobe cares more about saving five minutes of web developer time than about preventing identity theft for millions.

I'm not kidding. Web developer pay Adobe. Flash users don't.

Re:Uploading a swf with a jpg extension?

[Lobster+Quadrille]

Browsers do use MIME type to decide on the parser, except with embed tags, where they use the content-type attribute of the embed tag to decide which plugin to invoke.

The plugin, in turn, *should* check the MIME type to determine whether the file it's loading is valid. The Flash plugin does not.

Re:Uploading a swf with a jpg extension?

[moonbender]

This does sound like a good fix for the issue, though I'm sure it'll break a lot of sites.

Re:Uploading a swf with a jpg extension?

[ChrisMaple]

Some viewers ignore extensions and determine image type by the 4CC: The first 4 bytes of a file, which in many cases identify the actual file type.

Re:Uploading a swf with a jpg extension?

[Ramirozz]

Yes, I was asking the same question and as Lobster said you can include headers in PHP, for example... but I would like to know if there is anything to do to validate these crafted image files because in that case it doesn't matter if you are using flash or not. Well, flash will make it easier to execute it from another domain.

Re:Uploading a swf with a jpg extension?

[MikeBabcock]

Its your web browser lying to Flash, not the web server. Your web browser is accepting the content-type advertised in the HTML and passing the contents on to its plugin handler.

Re:Uploading a swf with a jpg extension?

[JesseMcDonald]

Even better, if the server and the HTML both supply a content-type, the browser should block the plug-in unless the two content-types agree; neither should be ignored.

Counting binary on your fingers.

[beathach]

132 is the number. Do it.

Re:Counting binary on your fingers.

[v1]

I'll have to find the right web site to browse to in order to handle the carry

Silverlight?

[argent]

What origin policy does Silverlight use?

This isn't specific to Flash, it applies to ANY active content that automatically runs.

Re:Silverlight?

[CannonballHead]

Isn't this bug specifically talking about cross-site scripting? So it depends on how Silverlight manages that. I don't know the answer to that.

Re:Silverlight?

[argent]

Isn't this bug specifically talking about cross-site scripting?

No.

Re:Silverlight?

Then what the fuck IS it about? I've read the articles, I've read the comments here, everyone yammers on about executing malicious flash in your "trusted domain" but that doesn't tell me what this malicious flash does or what the hell is so special about this "trusted domain". It SOUNDS like cross-site scripting: you get your flash (actionscript) into someone else's webpage, people load the webpage, the script executes and using the browser's session cookies it calls the appropriate URLs and all of a sudden you have a trillion friends on myspace. Or as the video provided showed, the contents of your victim's gmail inbox.

Re:Silverlight?

[argent]

It's not cross-site scripting because it's not cross-site. The swf really does come from the same site and domain.

On further checking... the problem is that Adobe's plugin will wake up and run a flash applet even if the flash applet doesn't have all the right HTML "hey, this is an applet, here's its parameters" wrapped around it.

Either the browser has to restrict the applet to only show up if it's explicitly told to, or the applet itself has to include something like flashblock so flash applets don't run automatically. And you can just imagine how much Adobe wants to "break" all the Flash sites that people have created that don't follow the rules.

they're too busy...

[Machupo]

working on an x64 version of flash...

oh, wait...

Re:they're too busy...

[Slashcrap]

My 64bit Flash plugin works fine. Sorry about your toy OS.

Bad Adobe!

[onyxruby]

This is the same kind of logic Microsoft used with security in the 9.x kernel. Putting the impetus on third parties to behave and not take advantage of this is nuts! Are they not the least bit familiar with malware or anything else of the like? Bad Adobe, bad!

Let the lawyers fix this

A few hungry lawyers can get this problem fixed in a week. Just get a few injured parties and they will take care of the rest. While they are at it, they can fix the problems with the entire internet protocol suite that allows any application on any box to send and receive any data from any IP with zero traceability or accountability, all for free. This shit has got to end and the only way it will is if the consumers of this 1970s archaic crap we are all swallowing start to complain (i.e., lose money and time).

Flash security has always frightened me

[QuoteMstr]

I've been worried about Flash security for a long time now. I'd like to point out three features of Flash that bother me.

First, Flash allows a web application to paste data to the clipboard even if the browser itself forbids this. Of the major browsers, only IE allows applications to directly set the clipboard content.

Second, Flash has an XMLHttpRequest equivalent with a lax security policy. Cross-domain retrieval is controlled by an XML control file listing permissible origins.

Finally, Flash has its own cookie system. These Flash cookies are hidden from the user, and require special tools to remove.

These features are secure in themselves, but are enablers: they give attackers the means to exploit other vulnerabilities.

Unfortunately, this cavalier attitude fits Adobe's business model. Lax security is as much a feature of Flash as its vector graphics. Flash allows web developers "get shit done" with no regard for the security of the web ecosystem as a whole. Web developers then come to rely on Flash, which increases the adoption of Flash Player among users, which in turn increases the value of Adobe's authoring tools. Being insecure is lucrative, up to the point that the vulnerabilities become so egregious that users disable Flash.

On the other hand, browser vendors seem to take a mostly-conservative approach to security (don't laugh yet): consider XMLHttpRequest: sure, its same-origin restriction on the target URL is inconvenient, and the restriction might have been loosened while remaining secure. But this same prudent restriction has also prevented many attacks. Browser vendors have the right incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.

I wish I had an answer. Hopefully, HTML 5 will become widely supported enough that websites won't feel compelled to use Flash for graphics and storage, and eventually Flash's market penetration will sink below the point that web developers can consider it a viable way to circumvent browser security.

Re:Flash security has always frightened me

[CannonballHead]

I wish I had an answer.

[Silver|Moon]light!

;)

Re:Flash security has always frightened me

The funny thing is, despite all the safeguards and such with XMLHttpRequest, you can get almost all the same functionality (no POST requests though) by dynamically adding DOM elements to the page with the src set to whatever parameters for your GET request... and they have no security controls whatsoever so they can be cross-domain.

Re:Flash security has always frightened me

[QuoteMstr]

You can send requests by constructing normal HTML elements, yes, but you can't read the resulting data. Don't take my word for it: try it and see. If you construct an img element from another domain, you can't read its pixels with canvas. If you construct an iframe with content from another domain, you can't read what's inside. A lot of browser security code, in fact, is dedicated to ensuring that data don't leak across domains.

Re:Flash security has always frightened me

[Niten]

Wrong. The two properties of Flash that make it vulnerable to this class of attack are:

1. It relies upon a same-origin security model, and
2. Unlike JavaScript code, Flash objects can be executed by simply being loaded by a browser

Both of these things are just as true for Silverlight as for Flash, so this issue will affect Microsoft Silverlight and its users as well. The reason that this is being advertised as a "Flash vulnerability" instead of a "Silverlight vulnerability" is, I'm sure, simply due to Silverlight's relatively tiny market share.

On the other hand, HTML 5 + JavaScript, Canvas, etc. is a solution to this.

Re:Flash security has always frightened me

[tywjohn]

This has really opened my eyes about Flash. I never really liked it before because it's just kind of bloat but now I'm seriously thinking of disabling it altogether.

Re:Flash security has always frightened me

Just another example reinforcement of my message above about Oracle's new Flash-based support site:

And Oracle Support cannot understand why so many Oracle admins and/or their organizations have issues with their shiny new Flash-based support web site to which we upload all kinds of "debugging" files.

Re:Flash security has always frightened me

[Dirtside]

These Flash cookies are hidden from the user, and require special tools [fightidentitytheft.com] to remove.

Not to speak to any of your other points, but this isn't true. The Flash cookies are simply in your filesystem somewhere and can be deleted like any other files. (Where they are exactly depends on your browser and OS, but they're still just regular files.)

You can't delete them from within the browser without addons or plugins (in other words, the Flash plugin itself does not let you do this -- at least, not without manually setting the allowed disk space to 0 for every single website, which is impractical at best), but unless you consider bash or Windows Explorer to be "special tools," it's not exactly a heinous task.

Re:Flash security has always frightened me

[QuoteMstr]

unless you consider bash or Windows Explorer to be "special tools," it's not exactly a heinous task.

Most users do.

Re:Flash security has always frightened me

[filesiteguy]

How is HTML 5 - as opposed to moonlight/silverlight/flash - not vunerable (potentially) to the same sort of attack?

Re:Flash security has always frightened me

Wrong, Silverlight checks the MIME type of the file. If the MIME type isn't application/x-silverlight-app (or application/xaml+xml for Silverlight 1) then Silverlight doesn't execute it. So no, unlike Flash you can't rename the XAP file to JPG and still have it execute on the client.

Re:Flash security has always frightened me

[RAMMS+EIN]

``Browser vendors have the right incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.''

And that is a real problem for users, and not just because of its effect on security. Only Adobe makes software that can handle all the Flash applets out there, and anytime there is only a single supplier, the incentives to make things better for customers aren't there. Adobe has been pretty nice with Flash, considering.

Re:Flash security has always frightened me

[amorsen]

Most of the problem would be solved if the plugin just checked the mime type of the object it is trying to execute. If Silverlight does that, it's significantly better than Flash.

Re:Flash security has always frightened me

the special vulnerability here is that you can 'inline' the flash in other formats and be valid for both checks

Re:Flash security has always frightened me

I second this. Most of the users I have at work just see the desktop. If there isn't an icon for it on the desktop then it is not installed/available to them. The idea to browse through the start menu or, god forbid, C: does not come anywhere near their minds!

Re:Flash security has always frightened me

[ArsenneLupin]

Where they are exactly depends on your browser and OS, but they're still just regular files.

You still need to know the file name. And it doesn't seem to be anything obvious stored under .mozilla and containing flash in its name...

Re:Flash security has always frightened me

[Chuffpole]

Thank you for alerting me to that. I did what I could to delete those cookies, but still had a load of folders (now empty) with website names, in the folder :
C:\Users\(mylogin)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
- some with unsavoury names :)

I'm glad I've been able to get rid. Thanks.

Re:Flash security has always frightened me

[maxume]

The cross domain stuff isn't that terrible, it defaults to deny, and you can actually turn off flash cookies:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

I'm not sure that qualifies as a special tool or not. Another panel there lets you remove existing cookies.

Re:Flash security has always frightened me

[julesh]

How is HTML 5 - as opposed to moonlight/silverlight/flash - not vunerable (potentially) to the same sort of attack?

Two reasons:

1. If you upload an HTML file to a server with this problem, it will (hopefully) not send it back as text/html, thus the browser will not execute anything in it.

2. If you upload javascript to a server with this problem and attempt to embed it in a web page, it may well be executed, but it will be executed in the context of the page it is embedded in. Thus the onus is on page designers not to point script tags at sources of javascript they don't trust (which is relatively easy, and it is widely known that you need to guard against it). If you do this with flash or silverlight, it is executed in its own context based on the server it was downloaded from. Thus the onus is on server operators not to serve flash or silverlight files they don't trust (which is not actually any harder, but most aren't aware that they need to so a large number are vulnerable).

Re:Flash security has always frightened me

[julesh]

the special vulnerability here is that you can 'inline' the flash in other formats and be valid for both checks

Actually, you're misreading the article here. This is a problem with almost all file formats, because there are a small number of releatively common formats (especially those based on zip files) where the applications that use them start reading at the end of file rather than the start, thus such files can be combined with _any_ file format that starts reading from the start and ignores junk at the end (which is to say, almost all modern file formats, and absolutely all formats that are designed for streaming use). So I'm pretty sure you could do this with silverlight, also.

Re:Flash security has always frightened me

[julesh]

Wrong. The two properties of Flash that make it vulnerable to this class of attack are:

      1. It relies upon a same-origin security model, and
      2. Unlike JavaScript code, Flash objects can be executed by simply being loaded by a browser

The second isn't really necessary; you can trigger this issue by tricking the user into visiting a page with embedded flash. There are two critical points you don't note, however:

1. Unlike Javascript, the origin it uses when embedded in a page is the origin of the flash object, not the origin of the page that embedded it.
2. It ignores content type headers and will execute however it is served.

Re:Flash security has always frightened me

[owlstead]

But do these users really care about cookies? They probably just know what a cookie is, and if they find out a website doesn't work after removing the cookie, they'll probably be more frustrated than before doing the removal.

Re:Flash security has always frightened me

[Zadaz]

You can't delete them from within the browser without addons or plugins

This is also false.

Go to this URL:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Enjoy.

Re:Flash security has always frightened me

These are two great examples of good intentions having unexpected consequences: XMLHttpRequest and Flash policy files.

Because XHR doesn't allow cross-domain requests, web applications have adopted workarounds like cross-domain JSON via dynamic SCRIPT tags. This is horrible for client security. It requires that the client load script from a different domain and execute it (in the context of the client's domain!) just to get some web service data. That's really scary.

Flash, OTOH, created a way for servers to opt in to sharing data across-domains via policy files. That's actually quite logical, as it's really what you want to do.

The problem now is that sites need to police against having policy files shoved on their sites. But this problem already existed. You wouldn't let a user replace your robots.txt file. You wouldn't let a user upload an HTML+JS file that could then access the same-domain server data then post it across domains (because cross-domain post is permitted in the browser).

Re:Flash security has always frightened me

[Dirtside]

Groovy, thanks for the link. I actually had forgotten about that.

Although I would wonder, if that SWF can access and delete any Flash cookie set by any site, wouldn't that mean ANY site could run such a SWF (and, in theory, access/delete any Flash cookies)? What a weird security policy.

So is there an "immune system" file scanner?

[presidenteloco]

That can look for a signature in the uploaded file bytes that means the file is a swf? or a swf-readable policy xml file?

Anyone know of code that does that? Maybe Adobe would be kind enough to release some Java code and python
code for detecting their own files.

Simple solution

[zcv]

Seems like the simple solution is to serve all non-trusted content from a separate hostname. For example, serve avatars or uploaded files from usercontent.example.com.

As far as I can tell this would stop the attack nicely. The malicious SWF would execute in the context of a domain you don't care about.

Oh no!

[Solokron]

Oh no, a hacker saw my obligatory wacky animated avatar targeting the monthly pop culture event/person/thing/etc/insert/cmdr_taco/bad news everyone/virgin nerd/all your base belongs to us.

Thanks for reminding me ...

To disable Flash and Shockwave in my main browser.

It's remarkable how nice it is to surf the modern web without them ... ads (that I don't already block) have small fonts and easy-to-ignore plain text, I can listen to music and surf, and not have some crappy video start playing in a background window ... I'm loving it.

If I need Flash, I'll just surf with one of the alternate browsers for a page or three. The rest of the time ... bliss. Sheer bliss ...

Re:Thanks for reminding me ...

[owlstead]

An alternate user would even be more preferable. You may stay with your well known browser but your files are more safe this way. Note that everything (maybe except IE) still has user privileges and browsers are hardly an unbreakable fortress. User/file separation is more easily managed. Me, I try to surf as "guest" when I'm trying out sites I find disturbing (most media containing sites are). Cookies, etc. are all destroyed after logging off.

"...fucking idiot..."

[John+Hasler]

We already know webmasters are involved.

Re:"...fucking idiot..."

[RAMMS+EIN]

Thanks, mate. I won't dispute the "idiot", but let's just say I wish you were right about the fucking.

Gnash offering security features to stop malware?

[jbn-o]

Couldn't Gnash feature some interface that effectively prohibit a program from doing things common to malware (fetching data from the user's storage, connecting to someplace else, or sending data, for example)? These things might make some uses very inconvenient but more secure by default than Adobe's flash player.

Obviously I don't know enough about what flash players are expected to be able to do, but I don't see the question being raised elsewhere in the thread.

132?

ITYM 10000100

domain policy

[burris]

I wonder if fears of these sorts of attacks are why many major sites seems to be serving scripts and other static content from a completely different domain instead of a subdomain of the main site like an ostensibly sensible admin would do.

Re:domain policy

[Lobster+Quadrille]

Keeping user content and applications separate isn't ever a bad idea, because you never know when something like this will come up, and some websites do it for that reason alone. That said, they also commonly do it for performance/caching, disk space, and ease-of-integration.

Adobie Gillis?

[freelunch]

Whenever I see yet another Flash security issue, I wonder if Adobie Gillis is their CEO, or maybe they should change their name.

Re:Say it ain't so o o o [Oracle]

And Oracle Support cannot understand why so many Oracle admins and/or their organizations have issues with their shiny new Flash-based support web site (to which we upload all kinds of debugging files) ....

Re:yeah, but it is hidden in non-code Re:Foreign c

[Mister+Whirly]

Another reason to browse inside a VM

Or run the browser in Sandboxie.

Am I not understanding this correctly?

[lidocaineus]

I get the gist of the article - user flash content shouldn't be served from the same domain as your app.

But here's the thing - I know many, many people who run webservers just for the hell of it, and give free accounts to friends and such (the ubiquitous public_html subdirectory for a user, aka ~ ). So let's say the webserver at example.com has something like a secure login for webmail access or other stuff on there as well. It's not terribly vital, but it's still in place. One of the users maliciously uploads one of these flash files, has another person run it, and then that person logs in to another section of example.com - can the attacker then grab that data? It seems to be the case.

So what the hell are people in this situation supposed to do? Is the only solution to move all that user content to a subdomain as well? Seriously? At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.

Re:Am I not understanding this correctly?

[ArsenneLupin]

I get the gist of the article - user flash content shouldn't be served from the same domain as your app.

Just let's hope that flash doesn't share the same vulnerability as java, where a malicious app can just fool the VM using conn.setRequestProperty("Host", "appdomain.target.com"); .

Re:Am I not understanding this correctly?

[julesh]

At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.

I'm not sure where you're wrong here, but you do seem to be. The consequences of a server being vulnerable to this kind of attack are _exactly the same_ as if the server is vulnerable to a cross site scripting attack: scripts can be executed in the context of the server, allowing attackers access to stored cookies, download files from sections of the site he is logged in to, and make requests in those sections too.

Re:Am I not understanding this correctly?

[DavidTC]

Right, the results are the same: Something running in someone's web browser that can make web requests as if it's the user of the browser. (And hence can post comments, or change passwords, or whatever.)

Although this vulnerability is easier to do, because Flash files stupidly have permission to access the domain they're hosted on, instead of the domain of the page they were called from.

Which lets people, for example, who want to break into your facebook account upload a (hard to determine it is) malicious file to facebook.com, and then embed that file inside a completely different domain's HTML file.

Whereas with javascript, it's the other way around...they'd have to make some code embedding the javascript on facebook, and then they can put the javascript anywhere on the internet.

The second sounds less secure, but is actually more, because a) Almost all forum-ish software is specifically designed so you can't put random HTML tags in it, and b) you can't do an endrun around that by uploading your own HTML file as web browsers will only show them if they have the right mime type, and that requires them having the right extension and thus being obviously filterable.

Whereas Flash ignores all that, and will happily load files with any mime type, from any domain.

Re:Am I not understanding this correctly?

[owlstead]

Just running webservers for the hell of it is dangerous practice, unless you make sure you don't try and do everything. Do those people really patch their servers on time? Do they rely on their fantastic 99.999 percent available ADSL or cable modem connections for connectivity? And then have people upload stuff to your server - ugh. Only to prevent my upstream of being filled up I would not allow such a thing. Having a separate virtual subdomain is an easy problem to solve regarding all the other issues they may encounter.

someone will keep me safe

[darrenkopp]

good thing firefox will automatically block this plug in for me, to keep me safe. that's what they do right?

Re:yeah, but it is hidden in non-code Re:Foreign c

[kaoshin]

I strongly agree with what Google had to say on that at one point. A virtual browser would only be security through obscurity:

"Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're usually just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine." - http://blogs.zdnet.com/micro-markets/?p=1454

Patents

[AlpineR]

The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base.

I'm curious why you used that bit of patent text for your signature. I know that many Slashdotters ridicule patents for claiming the invention of common things. But that's not what that sentence is doing in that patent. It's just defining what a "cup" is for purposes of the patent. That's a wise thing to do since a "cup" could also mean a jockstrap, part of a bra, or the hole in a putting green. The invention includes a certain kind of insulated holder for drinking cups, and with that sentence makes clear that it doesn't apply to the other cups.

Re:Patents

[Lobster+Quadrille]

It isn't to imply that the patent itself was ridiculous (Though it is. The patent makes it sound much neater than it is: a carboard sleeve for insulating your coffee cup from your hand).

I really just found that bit of verbiage humorous... the need to define the cup, and the wording used to do so. I recognize that it is necessary in this type of thing, but that doesn't make it less funny.

wait

[GregNorc]

If the malicious content is served by the site, then even using a whitelist ala Flashblock won't work, will it? That's pretty scary.

Re:wait

[AHuxley]

Wow, thats not nice. Way to much power in one web based tool.
This should all be so sandboxed and open sourced
Let some smart people around the world fix all this stuff :)
No bloat, faster, safer and Adobe can keep its secrets for media/vids ect.

Said Flash to HTML5

[Chas]

Take it away brother. I got nothin'!

Seriously, at least on the web-based video front, this is practically the same as Flash BEGGING to be ousted in favor of HTML5.

Re:Said Flash to HTML5

[Ash-Fox]

Seriously, at least on the web-based video front, this is practically the same as Flash BEGGING to be ousted in favor of HTML5.

Same exploit can be done with XSS javascript, it's not new. I don't see how HTML5 will help.

user agent check?

[flasheru]

So now would be the right time to change the label on the server side user agent check from paranoid to advisable?

typo

[argent]

Damn, I hit preview and I still didn't see it:

Either the browser has to restrict the applet to only show up if it's explicitly told to, or the applet itself has to include something like flashblock

That should be

Either the browser has to restrict the plugin to only see applets if it's explicitly told to, or the plugin itself has to include something like Flashblock

Found it...

[ArsenneLupin]

After a little bit of looking further, I found it:
~/.macromedia/Flash_Player/#SharedObjects/

Re:Found it...

[John+Hasler]

> /.macromedia/Flash_Player/#SharedObjects/

Which on my machine is a symlink to /dev/null.

Cil

[hesaigo999ca]

Cil, adobe, cil adobe, C...I....L.... adobe.

I just can't fathom yet another vulnerability, much less one they have no plans to fix, which you apparently don't even need adobe flash installed on your pc to get infected. Seriously come on...this is really crappy news.

Adobe is going to become the Skynet we all fear in the future, watch and see.... :P

another...

[revxul]

Another nail in Flash's coffin. Another Macromedia product Adobe is running into the ground.

Fore?

Heh, 4 is the first thing I thought of. I use that number when someone has cut me off on the road.

Hey! It just occurred to me: that binary number is also often used in warmups to intimacy! So that's why they call it fourplay!

Sorry Slasdotters. The predeeding is gonna be a huge whoosh to most of you because, well, you don't get it.

(Heh, heh - my captcha is fourfold :)

I'm on Ubuntu.

[haxor.dk]

I use swf-dec and gnash.

Am I vulnerable?

Ok, that was retorical - bwahahah!