Critical Vulnerabilities In Adobe Flash Content May Lead to Cross-Site Scripting (XSS) Attacks
STEAM-ADVISORY NO. 2008011401
PURDUE UNIVERSITY SECURITY TEAM CIRT
Monday January 14 2008 11:55:00 EST
**** NOTICE ****
At this time there have been no reported incidences of this exploit from Purdue hosts.
Critical vulnerabilities in Adobe Flash content have been found which leave potentially hundreds of thousands of websites and a considerable percentage of major Internet sites susceptible to Cross-Site Scripting (XSS) attacks that would allow malicious individuals to steal personal details of visitors.
* SWF files generated by some of the more popular Flash authoring/development tools automatically contain the vulnerability. Those programs include Adobe DreamWeaver, Adobe Connect (Macromedia Breeze), TechSmith Camtasia, InfoSoft FusionCharts.
*This problem is not limited to authoring tools alone. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects. Autodemo is not the only service provider to have XSS in their products. They just happen to be the only service provider examined by the discoverers of these vulnerabilities. It is possible that other service providers use vulnerable SWFs also.
NOTE: The discoverers of this vulnerability were unable to perform an exhaustive review of all authoring tools that generate SWFs. It is possible that more XSS issues may exist in the products listed above as well as in other applications that save to SWF.
Researchers at Google and iSEC Parters, a well-known security firm, have discovered critical vulnerabilities in Adobe Flash applets which are found in potentially hundreds of thousands of sites operated by everything from financial institutions and government agencies to popular social networking and webmail services. The vulnerabilities reside in Flash applets (SWF files) themselves not the Flash player. The Flash applets are vulnerable to attacks in which malicious strings are injected into the legitimate code through cross-site scripting (XSS).
The vulnerabilities are explained in the book "Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions", which recently hit store shelves. According to the book's authors a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Author Alex Stamos said, "Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated."
A potential attack scenario would go something like this: "A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker." Details about the individual vulnerabilities and methods of attack can be found in the links provided in the "FURTHER INFORMATION AND RESOURCES" section.
* The "asfunction" protocol handler vulnerability has been addresses by the
critical update released for Adobe Flash Player on December 18th 2007. It
is highly recommended to update Flash player to this version as soon as
* Currently there are no patches available for the remaining
vulnerabilities. An Adobe representative said patches should be released
in the next few weeks but would likely only provide a partial fix. In
the meantime, end users can employ the Firefox plug-in NoScript or use
other methods to block Flash on sensitive websites.
o Remove vulnerable SWFs from your website
o Follow the manufacturers' advice on republishing your SWFs
+ Adobe - See
+ Autodemo - Contact your producer or email
+ Techsmith - Camtasia Studio users can upgrade to Camtasia
Studio version 5 to obtain a version which creates SWF files
that do not have this vulnerability (visit www.techsmith.com).
Users who are concerned about this vulnerability can
regenerate their SWF content with Camtasia Studio version 5.
+ Infosoft - Contact support
* It is likely that other authoring tools that automatically generate SWFs
can be used for XSS attacks. We highly recommend that website owners
serve automatically generated SWFs from numbered IP addresses or from
"safe" domains (i.e. domains that contain no sensitive cookies or domains
that cannot be used for phishing)
* Depending on the impact of XSS on a given website, website owners may
want to even consider moving or removing all third-party generated SWFs
Flash Authoring Tools Developers and All Flash Developers:
- - Flash based XSS is not limited to authoring tools. Unfortunately, common
design patterns used in many Flash applications introduce XSS issues, so
all Flash developers, including Flash authoring tools developers, should
do the following:
* Test your SWFs with Stafano Di Paola's SWFIntruder. If you don't, others
* Perform proper input validation on all user definable variables used in
URL loading functions and the "htmlText" fields. For example:
o Where possible, whitelist protocol handlers to only allow "http:"
and "https:" in all functions that require URLs
o When using "getURL()", whitelist user definable input (e.g, only
allow alphanumeric characters). Do not rely on the "escape()"
o Depending on the context, whitelist, URL encode, and/or HTML entity
encode user input in "htmlText" fields
o Within your Flash applications, load supporting SWF files, images,
and sounds from relative URLs. Disallow absolute URLs. Be aware of
open redirectors on your site. Consider rejecting relative URLs
containing "..", ".%2e", etc. that attackers could use to traverse
to open redirectors.
* Read Adobe's "Creating more secure SWF web applications" document
NOTE: Detailed Flash hacking techniques and solutions can be found in
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions".
**This is in no way shape or form an endorsement for or
recommendation to purchase this book.**
==FURTHER INFORMATION AND RESOURCES==
theregister.co.uk - Serious Flash vulns menace at least 10,000 websites:
theregister.co.uk - Google researcher calls for Flash flush:
Posting by Rich Cannings, Senior Information Security Engineer at Google:
US-CERT - Adobe Flash Player asfunction protocol may enable cross-site
US-CERT - Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities:
Adobe - Vulnerabilities in some SWF files could allow cross-site scripting:
APSB07-20 - Critical Flash Update - released December 18:
Google Validation libraries:
Adobe - Creating more secure SWF web applications:
Stafano Di Paola's SWFIntruder:
==STEAM-CIRT CONTACT INFORMATION==
For questions concerning this advisory, please send email to:
Report computer-related abuse to steam-cirt:
Posted by Nathan Heck on January 14, 2008, in Advisory Alerts.