Mark Dowd has detected a serious security flaw in the Adobe flash plugin which allows an attacker to take complete control of a computer . Adobe Flash Player 220.127.116.11 and earlier are affected by this critical issue. Flex 3.0 and AIR 1.0 which uses flash are also affected. Flash plugin is installed in various browsers(Firefox, Internet Explorer etc.) and is heavily used by Web 2.0 sites such as YouTube for video streaming. This exploit makes use of the NULL pointer attack to even modify the flash executable! In the hands of a malicious programmer, this knowledge can quickly turn to a big disaster.
Vulnerabilities in various online software is nothing new. For example, various vulnerabilities are continuously found in WordPress and various WordPress plugins. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running! An attacker can run a torrent site or a game site and then embed a malicious flash file in it. When you access the site, the flash file gets executed and it will use the exploit to get hold of your system!
Mark Dowd is a researcher in IBM Internet Security Systems and wrote the flash exploit details in a document titled “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine”. This can be download from here. According to the article, even Windows Vista is vulnerable to this exploit!
Vista’s ASLR features require that the binary is compiled with the / dynamicbase switch available on recent Microsoft compilers. Essentially, using this switch sets a flag in the PE header (0×40 in the DllCharactersitics member of the optional header) that will indicate that the binary should receive a random base address when loaded. Since flash does not use this switch, ASLR does not cause the Flash DLL to be moved in memory in Windows Vista, and hence can still be reliably exploited. Combining this with the previous point, it is possible to generate an SWF file that will reliably exploit both IE and Firefox on all recent versions of the Windows operating system, including Vista.
For a detailed step by step look at Dowd’s flash exploit, check out this article. It is long, but is a gold mine for future cyber criminals!
Adobe was quick to address this flash security issue and has released a patch for it on April 8, 2008. According to the patch summary,
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.
Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.
That means some of the flash files out there may not work after the patch is installed.
Flash supports auto updates and hence the security patch should get auto installed. But there is no guarantee. There will be thousands of browsers where the auto update is disabled and hence are vulnerable to this attack. Even if auto update is enabled, many would be cancelling it not knowing the seriousness of it.
This incident raises another question. Is it safe to browse Web sites? The answer is – It is relatively safe if you avoid browsing suspicious Web sites. There could be other vulnerabilities that are found by cyber criminals and are being exploited through keygen/serial key sites or torrent sites.
1. IBM article on Flash player invalid pointer vulnerability
2. Mark Dowd’s research paper on ActionScript VM (PDF)
3. Detailed look at Mark Dowd’s research paper
4. Flash player security patch from Adobe