dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
12524

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

2 recommendations

Smokey Bear

Premium Member

New flash attack has no real 'fix': 'everyone is vulnerable'

Dark Reading | nov 12, 2009
Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash -- and there's no simple patch for it.

The attack can occur on Websites that accept user-generated content -- anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.

"Everyone is vulnerable to this, and there's nothing anyone can do to fix it by themselves," says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel's File Manager. "We're hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time."

An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. "If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can't fix this," Murray says. "If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."

The only thing close to a "fix" is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack.

Bailey says the attack is similar to a cross-site scripting attack. "This is very easy to perform," he says.

The researchers don't expect Adobe to issue any fixes to Flash's origin policy, mainly because it would affect so many applications.

Web application developers could help prevent the attack by denying Flash content by default, which isn't a very realistic option: "Doing that will break a lot of applications," Bailey says. "And that's the problem."

For end users, the Firefox browser add-in NoScript provides some protection from this attack, as does Toggle Flash for Internet Explorer, the researchers say.
»www.darkreading.com/secu ··· 21700036

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

Wonderful.

That's yet another reason to use "flashblock" with firefox, and to login as a limited user.

Thanks for posting.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

You're welcome.

Lagz
Premium Member
join:2000-09-03
The Rock

1 edit

Lagz to nwrickert

Premium Member

to nwrickert
said by nwrickert:

Wonderful.

That's yet another reason to use "flashblock" with firefox, and to login as a limited user.

Thanks for posting.
Im using NoScript with FF. NoScript has flash blocking.
The Snowman
Premium Member
join:2007-05-20

1 recommendation

The Snowman to Smokey Bear

Premium Member

to Smokey Bear

There are ways to block this exploit even in internet explorer.........without any add-on-------simply enable "automatic prompting of file downloads".....................an the User will be given a notice before any file is downloaded......an can accept or denied the download.

There are yet other ways to block this Exploit but I wont get into those at this time.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to Smokey Bear

Premium Member

to Smokey Bear
Good ol' NoScript and Flashblock comes in handy once again.

I haven't been a big fan of flash anyhow, since it's used in obnoxious ads and other content. Many websites use it to trash up their pages with content from multiple sources.

Maybe this will trigger some changes.

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

1 recommendation

DownTheShore to Smokey Bear

Premium Member

to Smokey Bear
Never heard of Toggle Flash before for IE. Will give it a try.

»flash.melameth.com/

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

Original flash vulnerability disclosure/extended info: »www.foregroundsecurity.c ··· ues.html

anon
@tyks.fi

anon to Smokey Bear

Anon

to Smokey Bear
How to block/disable flash in Opera browser?!?

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by anon :

How to block/disable flash in Opera browser?!?
Opera 8-10: »my.opera.com/Lex1/blog/f ··· -opera-9

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to Smokey Bear

Premium Member

to Smokey Bear
Thanks for this, Smokey Bear See Profile scary stuff, again

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 recommendation

Smokey Bear

Premium Member

As usual, you're welcome sil
Zyniker
Zyniker
Premium Member
join:2004-12-25
Anaheim, CA

Zyniker to Smokey Bear

Premium Member

to Smokey Bear
OS X...and blocking Flash. None too concerned.
SUMware2
Premium Member
join:2002-05-21

SUMware2 to Smokey Bear

Premium Member

to Smokey Bear
Good article. Not so good exploit. Thanks.
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

DarkSithPro (banned) to Smokey Bear

Member

to Smokey Bear
Sad people have to gimp their Internet experience to protect themselves. "Yea, I'm safe, all I had to do is disable this, this and this..." Might as well use telnet in the future.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear to SUMware2

Premium Member

to SUMware2
said by SUMware2:

Not so good exploit.
Flash = Crash?

Mashiki
Balking The Enemy's Plans
join:2002-02-04
Woodstock, ON

Mashiki to DarkSithPro

Member

to DarkSithPro
said by DarkSithPro:

Sad people have to gimp their Internet experience to protect themselves. "Yea, I'm safe, all I had to do is disable this, this and this..." Might as well use telnet in the future.
We'll just go back to the dark ages and head in with Gopher, dumb terminals, and maybe toss in some ansi while we're at it.

To me it sounds like we're just about hitting the point where vendors and browsers need to sit down and redesign together for interoperability with proper sandboxing functions, but that's just me.

Lagz
Premium Member
join:2000-09-03
The Rock

3 edits

Lagz to Smokey Bear

Premium Member

to Smokey Bear
Does this mean viewing pictures with flash code embedded in them as well?
"If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to anon

Premium Member

to anon
said by anon :

How to block/disable flash in Opera browser?!?
Besides Smokey Bear See Profile's suggestion, you can also simply kill all plug-ins via F12 > uncheck "Enable Plug-ins". I've got a 'main' tool-bar button that also allows me to do this.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by Blackbird:
said by anon :

How to block/disable flash in Opera browser?!?
Besides Smokey Bear See Profile's suggestion, you can also simply kill all plug-ins via F12 > uncheck "Enable Plug-ins". I've got a 'main' tool-bar button that also allows me to do this.
Correct, but I didn't post that 'fix' because all the plugins that *don’t* cause problems are also disabled...

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 edit

1 recommendation

Blackbird

Premium Member

said by Smokey Bear:

Correct, but I didn't post that 'fix' because all the plugins that *don’t* cause problems are also disabled...
Very true... but user-javascript like flashblock-for-opera or any other requires that javascript in general be enabled in Opera -- and that can present its own security risks (since turning javascript off is the nearest thing to a NoScript feature in Opera). I suppose it's all how one prefers to come at one's security settings...

edit: clarity, first sentence

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by Blackbird:
said by Smokey Bear:

Correct, but I didn't post that 'fix' because all the plugins that *don’t* cause problems are also disabled...
Very true... but user-javascript like this or any other requires that javascript in general be enabled in Opera -- and that can present its own security risks (since turning javascript off is the nearest thing to a NoScript feature in Opera). I suppose it's all how one prefers to come at one's security settings...
Agreed, disabling all these plugins will notably decrease security risks. Like you say, up to the user how strong (or weak...) their defense will be.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

Regarding disabling plugins in Opera using the F12 menu:
said by Smokey Bear:

...I didn't post that 'fix' because all the plugins that *don’t* cause problems are also disabled...

In Opera, the F12 menu controls functions globally, but you can easily enable per site when required (my procedure):




----
rich

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird

Premium Member

said by mysec:

... In Opera, the F12 menu controls functions globally, but you can easily enable per site when required (my procedure)...
Folks just need to be aware that sites which redirect a lot to differently-named domains will require a separate site-preference enablement in Opera for each redirected domain. I generally have most things in Opera shut off on a global basis, enabling them only for sites I trust. But I had to step into a couple of cow-pies (as in filing bug reports with Opera) before I realized what was actually happening. Sites would seem to work with certain global enablements, but instead failed with the same enablements only in site preferences... it was the redirects to new domains that were causing the site-prefs to not apply until I included those domains as well in my site-preferences.
Thomas M5
join:2005-06-06
Germany

Thomas M5 to Smokey Bear

Member

to Smokey Bear
Is it safe to insert this "flashblocker.zip" tool in Opera?

I mean, in FF you read a lot about potential security risks of AddOn software just by not knowing what the AddOn-code exactly does...

Thanks,
Thomas

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by Thomas M5:

Is it safe to insert this "flashblocker.zip" tool in Opera?

I mean, in FF you read a lot about potential security risks of AddOn software just by not knowing what the AddOn-code exactly does...
Like all addon's, use at your own risk. However this particular addon receive solely positive customer feedback.

MeDuZa
join:2003-06-13
Austria

1 recommendation

MeDuZa to Blackbird

Member

to Blackbird
said by Blackbird:

... but user-javascript like flashblock-for-opera or any other requires that javascript in general be enabled in Opera -- and that can present its own security risks (since turning javascript off is the nearest thing to a NoScript feature in Opera).
quote:
You might be one of those people that likes to disable JavaScript, but you might actually have a use for User JavaScripts, which means that you have to enable scripts. This script allows you to write your scripts, but does not allow the page to run its own.
»www.howtocreate.co.uk/op ··· ipt.html

There are lots of nice User JavaScripts for Opera. Nonetheless I have little to no use for them since I prefer my scripts bundled in Proxomitron which is more powerful and versatile.
Additionally I can use Proxomitron with every browser at the same time.
said by Thomas M5:

Is it safe to insert this "flashblocker.zip" tool in Opera?

I mean, in FF you read a lot about potential security risks of AddOn software just by not knowing what the AddOn-code exactly does...
Yes it is.
You can't compare AddOn software with a script. Whilst it's quite easy to hide nasty code in a binary it's impossible to hide nasty script lines from praying eyes.

haroldo
join:2004-01-16
USA

haroldo to Smokey Bear

Member

to Smokey Bear
Is this a Windows specific risk or does it affect OS X, too?
I asked a similar question »Flash issue, does it affect OS X? in the All Thing Mac forum and instead of a lot of quick replies, so far I only received one "I think so" response.
While I am not doubting the answer (I have no way of knowing one way or the other) I don't want to start blocking things if it's not a risk in my situation.
Thanks!

Lagz
Premium Member
join:2000-09-03
The Rock

1 edit

Lagz

Premium Member

said by Lagz:

Does this mean viewing pictures with flash code embedded in them as well?
"If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."
After further reading images are a concern, but with flash disabled or blocked you would be safe. Also people using FF should use both NoScript and FlashBlock in combination with one another. Images are an issue with people without any flash blocking. It gets even worse though, Mp3's, PDF's, and even zip's are vulnerable along with other file types.
Uploading a SWF with a .jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content? Remember GIFAR? The basic premise is this: Overload a GIF file with a JAR archive. Specifically, the ZIP file format can be appended to any binary file and still be valid. The GIF format, in turn, can have any binary file appended to it. The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive. While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it. This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs. Additionally, if you don't care too much about compliance with standards (and what attacker does?), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much. This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.
This is a bummer! who wants to browse the net without all the bells and whistle on trusted sites.
jram
join:2003-08-06
Albany, NY

jram to haroldo

Member

to haroldo
»discussions.apple.com/th ··· 10577034