Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| New flash attack has no real 'fix': 'everyone is vulnerable'
Dark Reading | nov 12, 2009
Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash -- and there's no simple patch for it.
The attack can occur on Websites that accept user-generated content -- anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.
"Everyone is vulnerable to this, and there's nothing anyone can do to fix it by themselves," says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel's File Manager. "We're hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time."
An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. "If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can't fix this," Murray says. "If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."
The only thing close to a "fix" is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack.
Bailey says the attack is similar to a cross-site scripting attack. "This is very easy to perform," he says.
The researchers don't expect Adobe to issue any fixes to Flash's origin policy, mainly because it would affect so many applications.
Web application developers could help prevent the attack by denying Flash content by default, which isn't a very realistic option: "Doing that will break a lot of applications," Bailey says. "And that's the problem."
For end users, the Firefox browser add-in NoScript provides some protection from this attack, as does Toggle Flash for Internet Explorer, the researchers say. »www.darkreading.com/security/sho···21700036
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Official Jetico Inc. Support Forums »www.smokey-services.eu/ |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Wonderful.
That's yet another reason to use "flashblock" with firefox, and to login as a limited user.
Thanks for posting.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15 |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub | You're welcome.  |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs:
·AT&T DSL Service
1 edit | reply to nwrickert
said by nwrickert  :Wonderful. That's yet another reason to use "flashblock" with firefox, and to login as a limited user. Thanks for posting. Im using NoScript with FF. NoScript has flash blocking.
--
To talk much and arrive nowhere is the same as climbing a tree to catch a fish. |
|
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
| reply to Smokey Bear
There are ways to block this exploit even in internet explorer.........without any add-on-------simply enable "automatic prompting of file downloads".....................an the User will be given a notice before any file is downloaded......an can accept or denied the download.
There are yet other ways to block this Exploit but I wont get into those at this time. |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to Smokey Bear
Good ol' NoScript and Flashblock comes in handy once again.
I haven't been a big fan of flash anyhow, since it's used in obnoxious ads and other content. Many websites use it to trash up their pages with content from multiple sources.
Maybe this will trigger some changes.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs: | reply to Smokey Bear
Never heard of Toggle Flash before for IE. Will give it a try.
»flash.melameth.com/ |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub | reply to Smokey Bear
Original flash vulnerability disclosure/extended info: »www.foregroundsecurity.com/flash···ues.html |
|
anon
@tyks.fi | reply to Smokey Bear
How to block/disable flash in Opera browser?!? |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| said by anon :
How to block/disable flash in Opera browser?!?
Opera 8-10: »my.opera.com/Lex1/blog/flashbloc···-opera-9 |
|
siljaline
mind that delimiter
Premium
join:2002-10-12
Montreal, QC |  reply to Smokey Bear
Thanks for this, Smokey Bear scary stuff, again  |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub | As usual, you're welcome sil |
|
Zyniker
Zyniker
Premium
join:2004-12-25
Anaheim, CA | reply to Smokey Bear
OS X...and blocking Flash. None too concerned.  |
|
SUMware
Premium
join:2002-05-21 | reply to Smokey Bear
Good article. Not so good exploit. Thanks. |
|
DarkSithPro
join:2005-02-12
Huntington Beach, CA | reply to Smokey Bear
Sad people have to gimp their Internet experience to protect themselves. "Yea, I'm safe, all I had to do is disable this, this and this..." Might as well use telnet in the future. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| reply to SUMware
said by SUMware :Not so good exploit. Flash = Crash?  |
|
Mashiki
Balking The Enemy's Plans
join:2002-02-04
Woodstock, ON
·Bright House
·Rogers Hi-Speed
| reply to DarkSithPro
said by DarkSithPro :Sad people have to gimp their Internet experience to protect themselves. "Yea, I'm safe, all I had to do is disable this, this and this..." Might as well use telnet in the future. We'll just go back to the dark ages and head in with Gopher, dumb terminals, and maybe toss in some ansi while we're at it.
To me it sounds like we're just about hitting the point where vendors and browsers need to sit down and redesign together for interoperability with proper sandboxing functions, but that's just me. |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs:
·AT&T DSL Service
3 edits | reply to Smokey Bear
Does this mean viewing pictures with flash code embedded in them as well?
"If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials." --
To talk much and arrive nowhere is the same as climbing a tree to catch a fish. |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to anon
said by anon :
How to block/disable flash in Opera browser?!?
Besides Smokey Bear 's suggestion, you can also simply kill all plug-ins via F12 > uncheck "Enable Plug-ins". I've got a 'main' tool-bar button that also allows me to do this.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| said by Blackbird :said by anon :
How to block/disable flash in Opera browser?!?
Besides Smokey Bear 's suggestion, you can also simply kill all plug-ins via F12 > uncheck "Enable Plug-ins". I've got a 'main' tool-bar button that also allows me to do this. Correct, but I didn't post that 'fix' because all the plugins that *don’t* cause problems are also disabled...
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Official Jetico Inc. Support Forums »www.smokey-services.eu/ |
|
