A researcher has discovered a new hacker point of entry in Adobe Flash, but the software company's product security director dismissed the research as "not news."
The flaw allows attackers to infect any website which permits visitors to upload content, including such popular sites as Google's Gmail.
No fix yet exists, but Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Friday that the issue is not patchable and instead requires webmasters to apply safeguards.
The alarm was raised Thursday by Mike Bailey, senior researcher at Foreground Security, an information security services vendor, on the company's blog. He called the flaw a "frighteningly bad thing" because of the preponderance of sites that allow users to upload files.
"Any server that allows unvalidated uploads of content will let an attacker to upload HTML pages with cross-site scripting or other attacks," he wrote on the blog.
At that point, the hackers gain control of the targeted site, deposit a malicious Flash object on the web server, and then can execute malicious scripts in the context of that domain, thereby infecting visitors who visit that site.
Once an attack is launched on a site, it can affect even those individuals not using Flash because it travels to users directly and not via the servers, Bailey said. Websites that are at risk of being vulnerable include social media sites, major career portals and Fortune 1000 and government agencies websites.
“This is insidious because Flash content can be crafted to look like many different file types, such as Microsoft Word or Excel documents, image files or ZIP files," Bailey wrote. "This variability allows malicious content to appear in many different and normally nonthreatening guises. Nobody expects pictures to attack them."
Bailey said this vulnerability is a core design flaw in Flash's same-origin policy and insisted that Adobe must issue a client-side fix for Flash users, rather than expecting website administrators to rework their coding.
Several fixes have been proposed, he told SCMagazineUS.com on Friday.
"They can at least minimize the issue," Bailey said of Adobe. "It should not be too difficult so that these types of things – limiting a Flash object's access to other content only from the domain it originated from – are denied by default."
While this attack type might be original, it also is familiar, said Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab. He told SC Magazine this week that hackers have taken to placing IFRAMEs, an HTML element that allows web developers to embed content from one website into another, on to FTP sites. This enables the code to inject malware onto client machines.
A number of comments to Bailey's blog post refute his claims, questioning the extent of damage done by this attack, as well as pointing out a lack of evidence proving that end-users viewing these Flash files are suffering any noticeable damage.
One response calls Bailey's assertions "completely irresponsible" and said that system administrators and site managers are the ones who must properly secure their upload processes.
Bailey told SCMagazineUS.com those who dispute his findings either don't understand the flaw, or they work for Adobe.
But Adobe officials object to that assertion.
"This isn't news," Arkin said. "The topic has been well understood for years. There are risks associated with user-generated content."
To protect against risks, Arkin said there are a number of steps site owners should take, including filtering active content from user uploads and hosting active content on a different domain other than the trusted domain.
"These are common web practices," he said. "Anybody building a web application needs to protect against a wide variety of threats. If you don't understand the risk, your site will be vulnerable."
Mike Murray, CTO at Foreground Security, told SCMagazineUS.com that the company weighed the consequences of revealing the flaw. It was concerned that attackers, once alerted to the bug, could get a head start. But, he said, bringing attention to the issue was necessary to force Adobe's hand in remediating the problem.
"There's no fix that users can do other than disable Flash, and that's not likely to happen," Murray said.
Bailey told SCMagazineUS.com that he has yet to observe any attacks in the wild, though he is seeing a trend toward that happening.
He advised surfers using the Firefox browser to deploy NoScript, a free, open-source add-on that allows users to manually choose on which sites they want to allow JavaScript, Java and Flash and other plug-ins to be executed. For those using Internet Explorer, he suggested using the Toggle Flash application, which offers similar user controls.
