Flash flaw puts most sites, users at risk, say researchers

Frighteningly bad thing, said Foreground Security, of flaw allowing hackers to hijack sites, attack users

Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site -- through its user-generated content capabilities, which typically allow people to upload files to the site or service -- they can execute malicious scripts in the context of that domain.

"This is a frighteningly bad thing," Bailey said. "How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."

Bailey, who demonstrated how attackers could compromise a Web site and attack users in a post today on Foreground's blog , outlined how a hacker would leverage the Flash flaw. "It's relatively simple," he maintained. "All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Adobe has told Foreground that the flaw is "unpatchable," Murray and Bailey said. Instead, Adobe is trying to educate site administrators to close the hole on their end. But they've not had much success.

"Some of the big Web properties have figured this out," said Bailey. "In a lot of cases, they're hosting user-generated content on another domain, perhaps for performance reasons." Among those site and services that have locked down their servers, Foreground cited Microsoft's Windows Live Hotmail and Google's YouTube. "But very few system administrators are even aware of this," Bailey added.

Even some of Adobe's Web properties are vulnerable to such an attack. "How can Adobe expect others to protect themselves when they can't do it themselves?" asked Murray.

Google's Gmail is also at risk from malicious Flash attack -- Gmail lets users upload and download file attachments -- although Bailey said that exploiting Google's Web mail service would be "extremely tricky" with "lots of hoops to jump through."

Although Foreground has not detected any in-the-wild attacks using the technique, Murray said that there's evidence hackers are moving toward such tactics. "We're starting to see Flash used in these ways," he said, and cited a recent worm that leveraged a similar vulnerability in Adobe's software, which is pervasive on the Web and on users' machines. "The worst-case scenario is that someone would figure this out, and launch silent attacks against the entire Internet."

That fear was a major consideration in Foreground's decision to go public with its information, even though Adobe can't fix the problem with a global patch of some sort. "We went back and forth on this a whole lot," said Murray.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla's Firefox, or ToggleFlash for Microsoft's Internet Explorer.

"The best mitigation is to not use Flash," argued Murray, "but we know that that's impossible for most users, since Flash is so widely used on the Web."

"Almost everyone using the Internet is vulnerable to a Web site that allows content to be updated inappropriately," said Murray. "That's not hyperbole, it's just fact. This has the potential to affect any social media site, any career site, any dating site, many retail sites and many cloud applications. That's why this attack is so serious. End users would never know they got exploited."

Adobe was not immediately available for comment.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags hackersGmailadobe flash

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?