in General

Google Researchers found vulnerabilities in Flash

Flash Player Vulnerabilities

Illustration by Brajeshwar

Flash Player VulnerabilitiesGoogle Researchers have documented serious vulnerabilities in Adobe Flash SWFs.


The Register reports that Google Researchers have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors.

The security bugs are in the Flash SWFs, the ubiquitous building blocks for graphics, animation, audio, video and high-end (Enterprise) Rich Internet Applications across the web. According to the research findings, the SWFs are vulnerable to attacks in which malicious strings can be injected into the legitimate code through cross-site scripting or XSS. Currently, there are no patches for the vulnerabilities. The latest Flash Player (version 9.0.115.0) release do not fix this vulnerabilities.


The vulnerabilities are laid out in an upcoming book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. It is due to hit store shelves soon, but is already in the hands of many security professionals. The book’s authors, who work for penetration testing firm iSEC Partners as well as for Google, say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites.

Alex Stamos, one of the book’s authors said;

Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated. In the mean time, people will have to think, “What kind of flash am I using on my site,” and manually test for vulnerabilities. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn’t quell the threat completely.

Here is an attack scenarios — A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer’s authentication cookies or login credentials to be sent to the attacker.

Stamos adds that Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix. Eradicating the problem will require updates for all of the SWF rendering and Flash authoring tools so they no longer generate buggy Flash content.

Perhaps, this is the second big vulnerability that made such a noise about Flash Player insecurity. However, we should remember that the technique is pretty much applicable to all other technologies – Javascript, Server Side Scripts, etc. Being able to do that in Flash SWFs make it a bit techy, automatic and sophisticated. Personally, I’m not sure if the Registry authors know all the abilities of Flash, they keep talking about just graphics and animations about Flash. Well, that’s so Flash 4; we’re in Flash 9 now! The Internet has lots of people who hate Flash because they still think Flash of the Flash 4 or Flash 5 “Skip Intro” days.

24 Comments

  1. Ha ! .. as you said cross-site scripting or XSS attack is very much possible with javascript/html sites as well ... I'm not discounting the seriousness of the problem but I am amazed at the hypocrisy of Dan Goodin (the author at the register) who fails to mention this in his article.

  2. Ha ! .. as you said cross-site scripting or XSS attack is very much possible with javascript/html sites as well ... I'm not discounting the seriousness of the problem but I am amazed at the hypocrisy of Dan Goodin (the author at the register) who fails to mention this in his article.

  3. Strange, I thought that allowScriptAccess should block that kind of "functionality"?
    For me worst vulnerability is that, when data cause buffer overflow in my machine, causing malicious code execution. There was such kind of bug with frame labels in Flash. But years ago.

    XSS/XSRF, like Mrinal said, are common problems for browsers environment, and flash is only one of members of it.

  4. Strange, I thought that allowScriptAccess should block that kind of "functionality"?
    For me worst vulnerability is that, when data cause buffer overflow in my machine, causing malicious code execution. There was such kind of bug with frame labels in Flash. But years ago.

    XSS/XSRF, like Mrinal said, are common problems for browsers environment, and flash is only one of members of it.

  5. Maliboo,
    I think so too, allowScriptAccess should safe guard form this problem ... I'm not sure what is the basis behind those google reports, maybe they are saying that most sites dont take advantage of this safeguard

    If your really thing about it, Flash is vulnerable to XSS only because javascript is vulnerable to it , if a swf closes its gates to javascript the swf would not have a problem

  6. Maliboo,
    I think so too, allowScriptAccess should safe guard form this problem ... I'm not sure what is the basis behind those google reports, maybe they are saying that most sites dont take advantage of this safeguard

    If your really thing about it, Flash is vulnerable to XSS only because javascript is vulnerable to it , if a swf closes its gates to javascript the swf would not have a problem

  7. They must have done their home-work and so it must be more than that. The report don't really elaborate that that fact. Either we have to wait for the book to come out or wait for another report with a detailed explanation of the vulnerabilities.

    It also, if you really look at it, looks like a PR effort of fear campaign which will help sell the books. ;-)

  8. They must have done their home-work and so it must be more than that. The report don't really elaborate that that fact. Either we have to wait for the book to come out or wait for another report with a detailed explanation of the vulnerabilities.

    It also, if you really look at it, looks like a PR effort of fear campaign which will help sell the books. ;-)

  9. I would like to see a real case first...
    What kind of vulnerabilities are we talking about? :)

  10. I would like to see a real case first...
    What kind of vulnerabilities are we talking about? :)

  11. The point is that the vulnerability is not "server side", that is, it's not affecting the web server. It seems that somehow an attacker can modify the content served by the web server - thus resuling in something like an XSS attack, with the execution of arbitrary javascript code on the client.
    I really wonder how it works, I did not know there was something writable in a flash file...

  12. The point is that the vulnerability is not "server side", that is, it's not affecting the web server. It seems that somehow an attacker can modify the content served by the web server - thus resuling in something like an XSS attack, with the execution of arbitrary javascript code on the client.
    I really wonder how it works, I did not know there was something writable in a flash file...

  13. I just read the original article at the Register and it really doesn't read like someone who is knowledgeable about Flash. As others have mentioned, the focus on graphics & animation, leading to criticisms of using Flash merely for decorative purposes, are just misplaced. Sure, many sites misuse Flash but this isn't the fault of Flash, it is rather the fault of the designer!

    What I'd like to see is specifically what this bug / security issue is. It seems to mention programs that generate .swf files rather than the Flash / Flex tools themselves.

    I really like the Register as a site but the article in question doesn't demonstrate carefully thought out journalism. It more jumps on the bandwagon to criticise Flash unfairly.

    I wouldn't be surprised if the issue isn't even specific to Flash at all. Unfortunately this article will sit at the top of the Register for at least the next few days, leaving the ill informed / scare journalism to fester.

  14. I just read the original article at the Register and it really doesn't read like someone who is knowledgeable about Flash. As others have mentioned, the focus on graphics & animation, leading to criticisms of using Flash merely for decorative purposes, are just misplaced. Sure, many sites misuse Flash but this isn't the fault of Flash, it is rather the fault of the designer!

    What I'd like to see is specifically what this bug / security issue is. It seems to mention programs that generate .swf files rather than the Flash / Flex tools themselves.

    I really like the Register as a site but the article in question doesn't demonstrate carefully thought out journalism. It more jumps on the bandwagon to criticise Flash unfairly.

    I wouldn't be surprised if the issue isn't even specific to Flash at all. Unfortunately this article will sit at the top of the Register for at least the next few days, leaving the ill informed / scare journalism to fester.

  15. It's good that big companies like Google etc are spending time figuring out the security issues, I am sure it would help Adobe to ship a better player..

    There are lots of new security stuff introduced in current release (9,0,115,0,) and more coming soon..

    There is huge number of people who still think for Flash Player as movie/animation/banner player...

    I think, things would get better if we (developers/designers) start using the technology (Adobe Flash) in better ways... It's hard to see many good applications, you can count the good ones actually...

    There is lot more that can get better in Adobe Flash Runtime (s).. It's good now, can be better (as said) :)

    -abdul

  16. It's good that big companies like Google etc are spending time figuring out the security issues, I am sure it would help Adobe to ship a better player..

    There are lots of new security stuff introduced in current release (9,0,115,0,) and more coming soon..

    There is huge number of people who still think for Flash Player as movie/animation/banner player...

    I think, things would get better if we (developers/designers) start using the technology (Adobe Flash) in better ways... It's hard to see many good applications, you can count the good ones actually...

    There is lot more that can get better in Adobe Flash Runtime (s).. It's good now, can be better (as said) :)

    -abdul

  17. is it possible to do what you mentioned about injecting code through SWF file~~~i mean these file are downloaded in lots in your "temporary internet files" folder

  18. is it possible to do what you mentioned about injecting code through SWF file~~~i mean these file are downloaded in lots in your "temporary internet files" folder

Comments are closed.