Flash flaw puts most sites, users at risk, say researchers

Frighteningly bad thing, said Foreground Security, of flaw allowing hackers to hijack sites, attack users

Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site -- through its user-generated content capabilities, which typically allow people to upload files to the site or service -- they can execute malicious scripts in the context of that domain.

"This is a frighteningly bad thing," Bailey said. "How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."

Bailey, who demonstrated how attackers could compromise a Web site and attack users in a post today on Foreground's blog , outlined how a hacker would leverage the Flash flaw. "It's relatively simple," he maintained. "All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Adobe has told Foreground that the flaw is "unpatchable," Murray and Bailey said. Instead, Adobe is trying to educate site administrators to close the hole on their end. But they've not had much success.

"Some of the big Web properties have figured this out," said Bailey. "In a lot of cases, they're hosting user-generated content on another domain, perhaps for performance reasons." Among those site and services that have locked down their servers, Foreground cited Microsoft's Windows Live Hotmail and Google's YouTube. "But very few system administrators are even aware of this," Bailey added.

Even some of Adobe's Web properties are vulnerable to such an attack. "How can Adobe expect others to protect themselves when they can't do it themselves?" asked Murray.

Google's Gmail is also at risk from malicious Flash attack -- Gmail lets users upload and download file attachments -- although Bailey said that exploiting Google's Web mail service would be "extremely tricky" with "lots of hoops to jump through."

Although Foreground has not detected any in-the-wild attacks using the technique, Murray said that there's evidence hackers are moving toward such tactics. "We're starting to see Flash used in these ways," he said, and cited a recent worm that leveraged a similar vulnerability in Adobe's software, which is pervasive on the Web and on users' machines. "The worst-case scenario is that someone would figure this out, and launch silent attacks against the entire Internet."

That fear was a major consideration in Foreground's decision to go public with its information, even though Adobe can't fix the problem with a global patch of some sort. "We went back and forth on this a whole lot," said Murray.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla's Firefox, or ToggleFlash for Microsoft's Internet Explorer.

"The best mitigation is to not use Flash," argued Murray, "but we know that that's impossible for most users, since Flash is so widely used on the Web."

"Almost everyone using the Internet is vulnerable to a Web site that allows content to be updated inappropriately," said Murray. "That's not hyperbole, it's just fact. This has the potential to affect any social media site, any career site, any dating site, many retail sites and many cloud applications. That's why this attack is so serious. End users would never know they got exploited."

Adobe was not immediately available for comment.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags hackersGmailadobe flash

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?