Flash Is at Risk, But It's Not All Adobe's Fault
Black Hat security researcher details flaws including XSS-like attacks -- and what Web site owners and developers can do to avoid them.
Adobe's Flash technology has been the target of security researchers for several years, though often it's the Flash Player that gets the bulk of the attention. Mike Bailey, a senior security analyst with Foreground Security, is now turning the focus to how common programming bugs can enable Flash objects to attack Web sites.
Bailey is discussing his research in a talk titled, "Neat, New, and Ridiculous Flash Hacks" at the Black Hat D.C security conference ongoing this week. His talk follows a fix already made by Twitter earlier this month to protect against one of the attack vectors he's talking about.
Bailey told InternetNews.com that his research is focused on how Flash can be leveraged against a Web site, a user, or a Web browser.
"This is different from the other Flash research that has already been done to attack the Flash Player and use it to comprise a user's computer," Bailey said. "Very little research has been done on how the Flash Player and application interacts with Web sites and the Web browser."
As a result, Bailey noted that the attacks that he has researched are not really Adobe's fault but rather are more focused on common programming mistakes that enable a Flash object to attack a Web site. Flash Security measures
Since the issues are not exactly flaws in Adobe Flash, Web site owners can take measures to ensure their own security now, he added.
"The issues that I'm discussing can be prevented by Web site owners by being very careful about the Flash content they host and the way they configure and design Flash object," Bailey said. "All of these issues can be prevented at various stages. Potentially they could be prevented by Adobe, but that would limit functionality."
For instance, he said developers stand a chance in combating one recurring item he discovered in Flash-related security: XSS attacks and how they occur. He noted that XSS is primarily an input-sanitation issue, and developers just need to understand which inputs need to be sanitized.
In addition to developer vigilance, Bailey also noted that Adobe could change some things, too.
"I would like to see Flash have more user-configurable security and privacy options," Bailey said. "Currently, Flash gives users little control over what is stored on a computer and what capabilities Flash has. I would like to see some ways for a user to be able to limit that without disabling Flash completely."
As part of his research, Bailey leveraged the tools of others, including one from HP, to decompile Flash. At Black Hat D.C. 2009, HP researcher Prajakta Jagdale talked about the security risks associated with Flash and detailed a tool called SWFscan, which was released later in the year by HP.
Overall, however, Bailey said that much of his research was just trial and error working with Flash and its security model.
Bailey added that he has built some of his own tools to help identify Flash issues that he plans to release at some point this year, though he doesn't yet have a firm timeline for their availability.
Despite the wealth of new testing and security tools now available, Bailey added that he still sees a lot of recurring issues that stem from Flash not being properly secured.
"It really just surprised me how common these issues are," Bailey said. "Once you understand the Flash security model and how Flash works, it's extremely easy to exploit."