Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Flash-Based Vulnerability Lingers On Many Websites, Three Years Later 42

itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
This discussion has been archived. No new comments can be posted.

Flash-Based Vulnerability Lingers On Many Websites, Three Years Later

Comments Filter:
  • by dgatwood ( 11270 ) on Tuesday March 24, 2015 @09:39PM (#49332967) Homepage Journal

    None of the pages about this bug—not the article, not the CVE, and not the Adobe explanation—tell what the actual attack vector is. They just say that they're vulnerable to XSS. Does that mean that the Flash code can be used on somebody else's domain? Does it mean that the Flash code can in some way be tricked into loading content from the wrong domain on behalf of page JavaScript? If so, and if Flash code uses only non-hardcoded URLs, does that mitigate the problem?

    The thing is, even if you got rid of all the insecure Flash applets out there, a malicious person could still host one somewhere. So depending on the nature of the attack, the only real way to fix it might be for Flash to deliberately break every Flash applet linked against the old SDK. If the attack is dependent upon the flash being hosted from the same domain as the content you're trying to steal (e.g. cookies), then the right way to fix it is for web developers to eradicate Flash from their websites.

  • by craighansen ( 744648 ) on Tuesday March 24, 2015 @09:45PM (#49333001) Journal

    If a malevolent SWF file could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?

    • by mysidia ( 191772 )

      could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?

      Think of it the same as if GCC had a bug that caused it to generate machine language code containing a vulnerability, when you were compiling a project. The bug was fixed, but all binaries previously compiled are vulnerable until rebuilt using a version of the compiler after the bugfix was made.

      The vulnerability is a same-origin policy violation affecting only the site that hosts the SWF fi

  • Do as we say... (Score:4, Insightful)

    by SeaFox ( 739806 ) on Tuesday March 24, 2015 @09:56PM (#49333037)

    They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites.

    Talk about not dogfooding.

  • by s.petry ( 762400 )

    Client Server technology has always had a problem where the client must trust the server. Adobe could have done better with Flash, but compromised security for flexibility. Exactly what every Bank I know of has done, and insurance company, and government agency, and department store, etc.. etc... etc...

    If you are worried, don't download content you don't trust. It's not an absolute fix, because malicious files could still be uploaded to Facebook and Youtube. That said, I doubt your world will end when y

  • disable flash! (Score:4, Insightful)

    by Gravis Zero ( 934156 ) on Tuesday March 24, 2015 @10:21PM (#49333167)

    there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

    if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

    • Re: (Score:2, Troll)

      those that haven't switched to html5 yet will do so soon enough.

      What about IE6 users, you insensitive clod

    • by colfer ( 619105 )

      On Win8, Chrome and IE have Flash built-in. Flash updates have become an issue only on Firefox, and even there you can make Flash "ask to activate," and Mozilla central blocks outdated versions. On Win7 you still have to update Flash for IE as well as Firefox.

      I guess everyone using a browser knows this, but hasn't deemed it worthwhile to respond to these comments apparently from some archived library of ranting. Or you're on Linux or Apple! I don't know how it works there.

    • by colfer ( 619105 )

      More accurately, disable the Java plugin if you have Java installed for other purposes.

  • when can we go from slowly transitioning from flash to html5, to actively and aggressively killing flash as a policy initiative coordinated among major websites?

    i think a cost/ benefit analysis presentation to the right corner office could get this ball rolling

  • Flash has been in a perpetual state of vulnerable for, what, almost years now?

    Every 2-3 months for that entire time, Flash has had yet another security hole in it.

    So, I'll continue to leave it disabled in my browsers. About 3 time per year I cave and fire up an IE which has it enabled because someone in HR still insists on something I must use it for.

    But, seriously, Flash should be killed off. It's terrible. It's always been terrible. And it's not showing any signs of not being terrible.

    It serves ads, a

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...