Rapid7 Exposes Flash Vulns with NeXpose


Adobe's Flash is often the target of hackers as a route to exploit applications and desktops. While updating the Flash Player as patches are issued is required to help protect users, how do you actually scan a Flash application to see if it's a security risk?

Security vendor Rapid7 is now out with an update of its NeXpose vulnerability management solution that takes specific aim at Flash. NeXpose 4.10.4 provides full decompilation of Flash content in an effort to help identify security risks.

"For Web application administrators, the challenge is to have a tool that finds embedded links in Flash so that all parts of the website are scanned, and to uncover vulnerabilities that are included in the code, such as hard-coded login credentials, insecure crypto, and usage of debugging functions," Andres Riancho, director of Web security at Rapid7 told InternetNews.com. "The only way to uncover these is to decompile the binary Flash applications and to conduct a static code analysis."

Rapid7 develops a number of security technologies and is the leading sponsor behind the Metasploit and w3af open source Web security projects.

Riancho added that the most challenging sections of the code for Rapid7's development team are those that perform the decompilation process.

"We've tested our decompiler with different Flash compilers and even a simple 'if' statement changed from one to the other," Riancho said. "There were also simple performance enhancements introduced by the compiler, which were present in Adobe’s but not in the rest, which made our work more interesting for some a couple of days."

While NeXpose can identify Flash-based security risks, developers will still need to dig through code in order to fix some issues. Riancho explained that NeXpose shows the code snippet where the vulnerability was found. He added that, in his view, pointing to the exact file and line number in the original source code is impossible. Riancho noted that the decompilation process generates source code that has the same logic, variable names, etc., but it’s not possible to regenerate the exact same source code.

Rapid7 isn't the first vendor to take aim at identify Flash risks. In 2009, HP debuted its WebInspect 8.0 tool, which also took aim at Flash vulnerabilities. IBM also took joined the fray in 2009 with the release of its AppScan 7.8 Web application vulnerability solution.

According to Riancho, there have been some point solutions for pure-play Web application scanning that have included Flash decompilation. He believes Rapid7 is the first vendor to provide this technology in a broad vulnerability management solution that not only checks Web applications for vulnerabilities, but also tests the security of network devices, operating systems, and databases.

Moving forward, Riancho noted that Rapid7 is going to continue to assess emerging security threats that represent real risk.

"Web application vulnerabilities represent a significant risk," Riancho said. "We continue to monitor how attackers are exploiting real-world customers, and expect that we’ll be evolving the product in numerous ways to anticipate these threats."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.