Login   |   Secure Purdue > News

Critical Vulnerabilities In Adobe Flash Content May Lead to Cross-Site Scripting (XSS) Attacks

Critical Vulnerabilities In Adobe Flash Content May Lead to Cross-Site Scripting (XSS) Attacks

STEAM-ADVISORY NO. 2008011401

PURDUE UNIVERSITY SECURITY TEAM CIRT

Monday January 14 2008 11:55:00 EST

**** NOTICE ****

At this time there have been no reported incidences of this exploit from Purdue hosts.

****************

==OVERVIEW==

Critical vulnerabilities in Adobe Flash content have been found which leave potentially hundreds of thousands of websites and a considerable percentage of major Internet sites susceptible to Cross-Site Scripting (XSS) attacks that would allow malicious individuals to steal personal details of visitors.

==SYSTEMS AFFECTED==

* SWF files generated by some of the more popular Flash authoring/development tools automatically contain the vulnerability. Those programs include Adobe DreamWeaver, Adobe Connect (Macromedia Breeze), TechSmith Camtasia, InfoSoft FusionCharts.

*This problem is not limited to authoring tools alone. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects. Autodemo is not the only service provider to have XSS in their products. They just happen to be the only service provider examined by the discoverers of these vulnerabilities. It is possible that other service providers use vulnerable SWFs also.

NOTE: The discoverers of this vulnerability were unable to perform an exhaustive review of all authoring tools that generate SWFs. It is possible that more XSS issues may exist in the products listed above as well as in other applications that save to SWF.

==DETAILS==

Researchers at Google and iSEC Parters, a well-known security firm, have discovered critical vulnerabilities in Adobe Flash applets which are found in potentially hundreds of thousands of sites operated by everything from financial institutions and government agencies to popular social networking and webmail services. The vulnerabilities reside in Flash applets (SWF files) themselves not the Flash player. The Flash applets are vulnerable to attacks in which malicious strings are injected into the legitimate code through cross-site scripting (XSS).

The vulnerabilities are explained in the book "Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions", which recently hit store shelves. According to the book's authors a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Author Alex Stamos said, "Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated."

A potential attack scenario would go something like this: "A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker." Details about the individual vulnerabilities and methods of attack can be found in the links provided in the "FURTHER INFORMATION AND RESOURCES" section.

==SOLUTIONS==

Users:

 * The "asfunction" protocol handler vulnerability has been addresses by the

   critical update released for Adobe Flash Player on December 18th 2007. It

   is highly recommended to update Flash player to this version as soon as

   possible.

 * Currently there are no patches available for the remaining

   vulnerabilities. An Adobe representative said patches should be released

   in the next few weeks but would likely only provide a partial fix. In

   the meantime, end users can employ the Firefox plug-in NoScript or use

   other methods to block Flash on sensitive websites.

Website Owners:

 * Please:

      o Remove vulnerable SWFs from your website

      o Follow the manufacturers' advice on republishing your SWFs

            + Adobe - See

              http://www.adobe.com/support/security/bulletins/apsb07-20.html

            + Autodemo - Contact your producer or email

              controlsupdate@autodemo.com

            + Techsmith - Camtasia Studio users can upgrade to Camtasia

              Studio version 5 to obtain a version which creates SWF files

              that do not have this vulnerability (visit www.techsmith.com).

              Users who are concerned about this vulnerability can

              regenerate their SWF content with Camtasia Studio version 5.

            + Infosoft - Contact support

              http://www.fusioncharts.com/Contact.asp

 * It is likely that other authoring tools that automatically generate SWFs

   can be used for XSS attacks. We highly recommend that website owners

   serve automatically generated SWFs from numbered IP addresses or from

   "safe" domains (i.e. domains that contain no sensitive cookies or domains

   that cannot be used for phishing)

 * Depending on the impact of XSS on a given website, website owners may

   want to even consider moving or removing all third-party generated SWFs

Flash Authoring Tools Developers and All Flash Developers:

- - Flash based XSS is not limited to authoring tools. Unfortunately, common

  design patterns used in many Flash applications introduce XSS issues, so

  all Flash developers, including Flash authoring tools developers, should

  do the following:

 * Test your SWFs with Stafano Di Paola's SWFIntruder. If you don't, others

   will.

 * Perform proper input validation on all user definable variables used in

   URL loading functions and the "htmlText" fields. For example:

      o Where possible, whitelist protocol handlers to only allow "http:"

        and "https:" in all functions that require URLs

      o When using "getURL()", whitelist user definable input (e.g, only

        allow alphanumeric characters). Do not rely on the "escape()"

        function.

      o Depending on the context, whitelist, URL encode, and/or HTML entity

        encode user input in "htmlText" fields

      o Within your Flash applications, load supporting SWF files, images,

        and sounds from relative URLs. Disallow absolute URLs. Be aware of

        open redirectors on your site. Consider rejecting relative URLs

        containing "..", ".%2e", etc. that attackers could use to traverse

        to open redirectors.

 * Read Adobe's "Creating more secure SWF web applications" document

NOTE: Detailed Flash hacking techniques and solutions can be found in

      "Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions".

      **This is in no way shape or form an endorsement for or

      recommendation to purchase this book.**

==FURTHER INFORMATION AND RESOURCES==

theregister.co.uk - Serious Flash vulns menace at least 10,000 websites:

http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/

theregister.co.uk - Google researcher calls for Flash flush:

http://www.theregister.co.uk/2008/01/02/buggy_flash_fix/

Posting by Rich Cannings, Senior Information Security Engineer at Google:

http://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw

US-CERT - Adobe Flash Player asfunction protocol may enable cross-site

scripting:

http://www.kb.cert.org/vuls/id/758769

US-CERT - Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities:

http://www.kb.cert.org/vuls/id/249337

Adobe - Vulnerabilities in some SWF files could allow cross-site scripting:

http://www.adobe.com/support/security/advisories/apsa07-06.html

APSB07-20 - Critical Flash Update - released December 18:

http://www.adobe.com/support/security/bulletins/apsb07-20.html

Google Validation libraries:

http://code.google.com/p/flash-validators/

Adobe - Creating more secure SWF web applications:

http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html

Stafano Di Paola's SWFIntruder:

https://www.owasp.org/index.php/Category:SWFIntruder

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:

  itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:

  http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam

Posted by Nathan Heck on January 14, 2008, in Advisory Alerts.