In association with heise online

21 December 2007, 12:06

Holes in Adobe's Flash Player a threat to system security [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe has published an update for Flash Player that eliminates many browser-independent security holes. Adobe classifies several of these as critical, because an attacker can infect a PC by placing specially crafted SWF files on Web sites. For this to work, it's sufficient for a page containing Flash content to be opened. The Flash Player is already included as a standard ActiveX Control in Internet Explorer under Windows. In these days of YouTube and other multimedia offerings, users of alternative browsers may also have installed a suitable plug-in from Adobe and so be just as vulnerable.

The versions affected are Adobe Flash Player and earlier, and earlier, and and earlier under Windows, Mac OS X and Linux. Adobe advises all users to download and install the new Flash Version as quickly as possible from the Adobe Flash Player Download Center.

Users who have activated automatic updates should already have been offered a new version. A patched Version 7 can be downloaded by those users who, for their own reasons, want or need to go on using Version 7. Not until later will Solaris users be offered update with the faults removed. Until then, Adobe advises installing the beta version from Adobe Labs.

The security holes result from various bugs including heap overflows that occur during the parsing of SWF files. Through them, code can be smuggled in and executed with the rights of the user. According to Tipping Point, this can happen while manipulated JPG images embedded in SWF files are being processed. There are moreover vulnerabilities that allow the domain policy of the Player to be circumvented and cross-site scripting attacks carried out.

Like Web browsers, for security reasons the Flash Player has a restriction on what documents or files may be accessed. For example, the Player may only send data to pages from which it has loaded an SWF file. This is particularly important, because Flash supports ActionScript 3, a simple scripting language similar to JavaScript - and the fact that JavaScript can become a security problem is testified to by very many cross-site scripting vulnerabilities in Web sites and browsers.

HTTP headers can also be manipulated: something that can be exploited in HTTP request-splitting attacks. And ActionScript can be used to find out what ports on a PC are open. According to a security advisory, this can be misused for port scanning by remote computers.

So far there have been no reports of Web sites actively exploiting the holes in Flash. Fortunately YouTube, for example, only permits files to be uploaded in the WMV, AVI, MOV and MPG formats and encodes these into the Flash format itself, so there should be no malicicously crafted movies there. MySpace, too, creates a new Flash movie from an uploaded one. Things may be different on other pages, however. Users should consider installing a Flash blocker in addition, for example FlashBlock for Firefox. This prevents a Flash film being loaded and played until it has been approved by the user.

The port scanning vulnerability in Flash Player has been known since last August. At this year's CCCamp, the hacker "fukami" who found the hole demonstrated how ActionScript detects the open ports on a system. The web page Design flaw in AS3 socket handling allows port probing gives demo and a more detailed description of the problem. On this page, you can also test whether Adobe's update and the suggested workaround actually function.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit