Forgot your password?
typodupeerror
Security

Flash Vulnerabilities Affect Thousands of Sites 214

Posted by kdawson
from the waves-of-shock dept.
An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."
This discussion has been archived. No new comments can be posted.

Flash Vulnerabilities Affect Thousands of Sites

Comments Filter:
  • by capnkr (1153623) on Sunday December 23, 2007 @01:35AM (#21795738)
    ...how does the fact that Flash is proprietary affect it's vulnerability? As in "that's the price you pay..."???

    I don't get that part.

    But I am crossing my fingers that this will help move designers away from using it. :)
  • Re:Preference (Score:5, Insightful)

    by palegray.net (1195047) <philip DOT paradis AT palegray DOT net> on Sunday December 23, 2007 @01:38AM (#21795766) Homepage Journal
    Flash done right can be extremely useful, as a tool for adding a dynamic interface to a site. Unfortunately, Flash is (in my opinion) usually done horribly wrong, and implemented in a manner that doesn't give site visitors any alternate means of using the site. I've seen good implementations where Flash was used only for a particular application, and the rest of the site was done in standard-compliant HTML/CSS. I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.

  • by noidentity (188756) on Sunday December 23, 2007 @01:46AM (#21795802)
    Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.
  • by Anonymous Coward on Sunday December 23, 2007 @01:49AM (#21795818)
    If it were open the source code could be audited and perhaps this vulnerability (or others) would have already been identified and corrected. With proprietary solutions you just don't get that option.
  • by Max Threshold (540114) on Sunday December 23, 2007 @01:55AM (#21795858)

    Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

    Huh? So this is some kind of phishing attack? Exactly how is Flash involved, and what should we be watching out for? (Other than never entering important data into a form we reached by clicking... always good practice.)

  • Re:Preference (Score:5, Insightful)

    by Anonymous Coward on Sunday December 23, 2007 @02:18AM (#21795976)
    Depends on what you are trying to achieve, but I would never go with Flash. The only benefit of Flash is that it will keep the majority of users from "stealing" your content by downloading it and saving it to a file. And you also get to code up your own crappy player in it too. If you want it playable on the largest number of devices(what people normally claim is the benefit of Flash), then go with MPEG-1 which will work more places than Flash.
  • by Jack9 (11421) on Sunday December 23, 2007 @02:31AM (#21796030)
    Even open source implementations are vulnerable to XSS.

    Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

    In summary, "Phishing can work against Flash apps." Specifically, the article says someone at Google documented something about XSS working against Flash apps...being really light on the details. This could apply to Google's stock market Flex charting, for example. Adobe hasn't done anything about it and didnt respond to EMAIL inquiries about it.
    My question is who asked The Register, to troll against Adobe? AND how did it get posted on /. /Lemme know if I missed something.
  • Re:Preference (Score:5, Insightful)

    by Anomolous Cowturd (190524) on Sunday December 23, 2007 @03:39AM (#21796268)
    Not a fan of flash either, but the one application it is actually good for is the youtube-style video embedding. I prefer flash to the satan-spawned abominations quicktime & windows media player, as the platform support is better, among other things.
  • by Tumbleweed (3706) * on Sunday December 23, 2007 @03:44AM (#21796284)
    To me, flash can be used in one of three ways, in decreasing amounts of popularity:

    Nice rant, but you seem to fail to realize that the web, and computer software in general, tend to fall in the same sort of categories. That's just the way it is. Don't forget Sturgeon's Revelation, "90 percent of everything is crud." (Though I believe this estimate to be conservative, and certainly the adjective chosen is much more polite than is usually quoted.)

    I'd rather have the possibility of having those few brilliant Flash-based sites/RIAs than to NOT have that ability at all. If you don't like the show, change the channel.

    In other words, get over it. :)
  • by Deanalator (806515) <pierce403@gmail.com> on Sunday December 23, 2007 @04:01AM (#21796352) Homepage
    The problem isn't that adobe has a poor implementation of the flash protocol. If that was the case, they could just patch the issues (like in the past). These issues stem from the protocol itself, and that it is very liberal on how it defines access control. This is not something that can be fixed by open source. Even if gnash did have a top notch security team (which I doubt, since it sounds to me like they are still having trouble getting swf to parse safely), they would need to redefine much of the protocol, add proper mandatory access controls. Doing this in a way that would not break existing flash applets would be a huge pain in the ass. Not to mention having to go back and change everything again once adobe releases a new version.
  • Re:Preference (Score:5, Insightful)

    by JackMeyhoff (1070484) on Sunday December 23, 2007 @04:22AM (#21796420)
    Most flash is done WRONG unfortunately, and most sites either open in a new limited controllable window and / or have a screen area the size of a postage stamp. Flash sucks for many reasons, and this is 2 of them.
  • by RAMMS+EIN (578166) on Sunday December 23, 2007 @04:33AM (#21796448) Homepage Journal
    My feelings about Flash are kind of mixed. On one hand, it's proprietary technology. Specifications have, at some point, been published, but I don't think they are current, and there certainly isn't a full-featured implementation from anyone other than Adobe. This is bad.

    On the other hand, looking at what Flash does, and at other technologies that do these things, it seems to me that Flash is clearly technologically superior. I don't know how large the browser plugin is these days, but the one that used to come with Opera used to be very small, and yet provide features that web masters are trying to kludge together with AJAX and whatnot, and for which the W3C has come up with the gargantuan SVG, which has even more elephantine implementations. Flash is the clear winner here.

    And then, of course, there is the misuse of Flash for things where Plain Old HTML would be much better. But then again, if Flash were a widely-implemented open standard (rather than a widely-implemented proprietary technology which yet leaves some users in the cold), perhaps such use wouldn't be _mis_use.

    So, all in all, I think that Flash would be _great_ if it weren't proprietary...but the fact that it _is_ proprietary is a real obstacle.
  • Funnily enough.. (Score:3, Insightful)

    by Junta (36770) on Sunday December 23, 2007 @04:47AM (#21796482)
    gnash [gnu.org] does exist, it's a flash clone. So yes, an open-source 'solution' exists, that sn't mature. I can't tell whether you were being satirical in saying it doesn't exist, but just in case..

    As to the question at hand, I don't know enough detail about the vulnerability myself, however note:

    Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix.
    So while I do not understand the technical details, those that do understand believe some sort of player-side sanity checks would be good to mitigate the consequences. In the open-source world, they would be able to construct a proof-of-concept publicly of a 'hardened' flash plugin that may avoid glaring mistakes. He does concede that while a player-side change could mitigate the exposure, the servers must recompile their end to be complete. Could they do it with Gnash? Maybe, if Gnash was even complete enough to even support the features that can be exploited here, which I don't know.
  • by foreverdisillusioned (763799) on Sunday December 23, 2007 @05:20AM (#21796568) Journal
    Even open source implementations are vulnerable to XSS.

    Firefox + NoScript FTW. Filters XSS even from sites you've otherwise whitelisted (which does *very* rarely cause a problem, but you can manually override if necessary.)
  • by imr (106517) on Sunday December 23, 2007 @06:06AM (#21796678)
    There is one nice Free Software alternative to Flash as a streaming video embedded applet, it's cortado [flumotion.net].

    The problem is that it lacks a little more work to be always stable and some more to get other codecs like speex incorporated. But the developper is gone and nothing has been developped since 2006. So it could be a nice project to pick up for someone with knowledge in Java, who want to do some usefull work for the Free Software users instead of only relying on Free alternative to the Flash player wich won't solve the main problem, the format. Right now, it's even worse, all linux distros rely on flash for their video solution, which is a pity.

    Close to the point, with the way Java is designed, you don't have this kind security issue, since you cant embed the player and stream videos from another domain.
  • by Lennie (16154) on Sunday December 23, 2007 @06:38AM (#21796742) Homepage
    I think there are definitly other reasons why an open source mentality is important.

    Who thinks anyone will be working on this grave security issue during the holidays ?

    If it was an open source project, I think it would be more likely a (or few) developer(s)
    would be.

    I could be wrong ofcourse.

    What do you think ?
  • Flash != Evil (Score:5, Insightful)

    by ckorhonen (1207018) on Sunday December 23, 2007 @07:13AM (#21796826) Homepage
    I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.

    In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!

    Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.

    In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.

    The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.

    Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.

  • by mha (1305) on Sunday December 23, 2007 @08:15AM (#21797022) Homepage
    Why is this article that doesn't explain ANYTHING, gives no references, and shows no hint of KNOWLWEDGE on the part of the author, but only lists stereotypes, labeled "insightful"? I'm missing any insights!

    The guy even calls Flash a "protocol"! This is the OPPOSITE of insight!!!
  • Neither is Flash (Score:3, Insightful)

    by DrYak (748999) on Sunday December 23, 2007 @10:10AM (#21797528) Homepage

    Actually MPEG-1 is not supported natively by IE or Firefox.


    Neither is Flash.
    Both needs a plugins to work.

    The HUGE difference comes from the fact that Flash is only available from 1 single company which produce plugins for only a small handful of platform (except maybe for the open-source Gnash [gnashdev.org] plugin, which already kind of works, but still needs a lot of efforts).
    Whereas, MPEG player are available for whatever platform you may think about as long as it has either the processors horsepower or a decoding co-processor. Including your basic 32-bit Windows, but also Linux running on 64bits Sparc or Itanium, PalmOS powered PDA, GSM phones, MP3 players, Less popular or Obscure OSes (Syllable, Haiku, etc.), Console as old as DreamCast (software) or even PlayStation and Saturn (hardware), etc.rr

    The only problem is that, given the huge amount of players, some are more crappy than others. And often, pre-assembled computer when bought in big shops comes with a lot of crappy software installed.

    But then you have the same problem with Flash with thousand of Flash video player, some much more ugly and inefficient than others. It only shifts the problem of having a good player from the user to the website designer.
  • Re:Preference (Score:2, Insightful)

    by stewbacca (1033764) on Sunday December 23, 2007 @10:43AM (#21797744)

    Most flash is done WRONG unfortunately
    Most slashdot posts are done INCORRECTLY.
  • by Anonymous Coward on Sunday December 23, 2007 @11:23AM (#21797980)
    Hey, Rezmason here.

    I agree that Flash is often misused, but I never thought I'd see such an overwhelmingly negative reaction to a Flash vulnerability. Flash gets updated relatively frequently, alright? It's kind of troublesome to read a "that's what you get" kind of statement on the front page of this site, especially if the writer isn't exactly in the loop.

    Besides, there's a silver lining on this cloud. The more professional Flash websites will be quicker to address this vulnerability, whereas the ones that have been thrown together will make for bigger targets. Maybe this will motivate employers to hire Flash devs who really know what they're doing. After all, with Flash's scripting capabilities, developing in it for a client should be a serious matter based on trust.

    And finally, despite its closed nature, Flash has (I believe) an installer base about the size of the number of computers that comprise the Internet. And it's proprietary, and has been from the start, even though it's opening up more every day. And it's got enough tricks up its sleeve to empower THIS creative professional. Ubiquitous, powerful, and CLOSED, that's right. If that makes you uncomfortable, please turn it off. But for pete's sake, don't rail on it.
  • Re:Preference (Score:3, Insightful)

    by cecil_turtle (820519) on Sunday December 23, 2007 @11:27AM (#21798010)
    The only thing Flash ever did right was to have a workable de-facto standard video format for the web. Oh and games / animations, if you're into that. As far as I'm concerned those are the only good uses for Flash.
  • Re:Preference (Score:3, Insightful)

    by jedidiah (1196) on Sunday December 23, 2007 @12:55PM (#21798548) Homepage
    The whole "gratuitous infection vector" problem.

    Many sites use flash for no good reason when pure HTML would be perfectly fine.
    In the process they make the entire process less secure, more error prone and
    ultimately less accessable.

    flash vs. flash for no good reason.
  • by Deanalator (806515) <pierce403@gmail.com> on Sunday December 23, 2007 @02:57PM (#21799358) Homepage
    If I gave explanations and references, it would be "informative" :-)
  • by Sloppy (14984) on Monday December 24, 2007 @02:55PM (#21808242) Homepage Journal

    Flash is bad because bad designers use it to make bad websites...yet bad designers make crappy HTML sites all the time.

    HTML doesn't have the expressive power to be dangerous. Go ahead and make a bad site with HTML and be as malicious as possible: you still can't do anything really dangerous. At worst, you might exploit a browser bug; but that will be a problem with the browser, not the format and the intended expressive power of HTML. Flash, in stark contrast, now allows the author to resize browser windows and pop deceptive things up. [youtube.com] The fact that Flash is capable of doing these things (watch the movie) means it's not appropriate for the web. (BTW, I'm quite aware of the irony of having just linked to a page that uses Flash to show a movie. I think that just indicates what a big problem that Flash has created for us.)

    yet one of the most popular websites in the world used it to reinvent how we experience video on the web.

    And that site is vastly inferior to how it could be, if they just linked to standardized-format movie files.

    I realize useful things are possible with Flash. But Flash is nevertheless the wrong tool for users, because its creators made it too dangerous. You could say the same thing about executing native code as root. Sure it would have positive uses (maybe some people would like a web-based partition-your-hard-disk program), but users would have to be very foolhardy to allow it.

    In my opinion, every web technology sucks pretty mightily, for one reason or another

    Interchange formats can be designed to be safe for the reader, and most of them are. Image formats are safe. Movie formats are safe. Text markup formats are safe. Flash is not. Why does Flash have to be a special case, where common sense and decades of experience, no longer apply?

    My own clients LOVE Flash sites. They insist on them.
    You are looking at things from the viewpoint of the publisher. That doesn't mean it is in users' interests. It's swell that you can make money on it, but it's still in the interests of users to get away from this danger. I could probably make money selling crack. There's demand! But that doesn't really mean that smoking crack is a safe or sane thing to do.

    They want animations, and sound, and websites that look the same in every browser.
    And users don't want that nearly as much. Those that do, would like it to be done safely, where the publishers' power over their computer's behavior has limits. Those limits are below what Flash currently allows.

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...