New Flash Attack Has No Real 'Fix'

Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash -- and there's no simple patch for it.

The attack can occur on Websites that accept user-generated content -- anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.

"Everyone is vulnerable to this, and there's nothing anyone can do to fix it by themselves," says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel's File Manager. "We're hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time."

An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. "If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can't fix this," Murray says. "If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."

The only thing close to a "fix" is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack. Facebook already does this, he says, which makes the popular social networking site immune to hosting this type of attack.

Bailey says the attack is similar to a cross-site scripting attack. "This is very easy to perform," he says.

The researchers don't expect Adobe to issue any fixes to Flash's origin policy, mainly because it would affect so many applications. Adobe offers security information for developers using Flash.

Web application developers could help prevent the attack by denying Flash content by default, which isn't a very realistic option: "Doing that will break a lot of applications," Bailey says. "And that's the problem."

For end users, the Firefox browser add-in NoScript provides some protection from this attack, as does Toggle Flash for Internet Explorer, the researchers say.

"This is ubiquitous. Almost every file upload has some amount of risk. If I were running a site, I would take a look at this," Murray says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.