The number and severity of vulnerabilities in Macromedia’s popular Flash animation software have been increasing throughout this year. Since Flash is installed on virtually every computer with an Internet browser (97 percent, according to Macromedia), any general threat to Flash can be a major threat and must be taken seriously.
The SWF.LFM-926 virus was first seen in January 2002. This threat didn’t affect those browsing Web sites. In fact, it was described by some antivirus experts, Sophos, in particular, as more of a proof-of-concept virus than a serious attack. Macromedia responded quickly to the discovery by Sophos of the first .swf (Flash file) virus, but as Sophos pointed out back in January, Macromedia’s fix fell short of a complete elimination of the threat.
The drumbeat continued in February with another problem being found in the Flash authorware. This threat, discovered by a Macromedia Flash developer calling himself Vengy, made use of an undocumented feature in the Flash 5 authoring tool.The ActionScript fscommand:save command can be used to create a batch file in the stand-alone player, planting a Trojan that will execute at the next reboot. The exploit is described on Vengy’s GeoCities site.
More recently, a threat known as the Flash ActiveX Buffer Overflow flaw, first reported by eEye Digital Security, opens up user PCs to an attack just by browsing Web sites with Flash code. Macromedia responded to this threat so fast that the fix was posted by the time the discoverer reported it.
Let’s take a closer look at these threats and how to secure against them.
Risk levels: Low to high
The threat from SWF.LFM-926, which exploits the fscommand:exec ActionScript command in the Flash 5 authoring tool, is very low risk since it affects only systems that are testing Flash code using the vendor’s stand-alone player—something most people don’t even know exists. This does not threaten general users who simply have Flash support for their standard Internet browser.
The February threat, based on the undocumented fscommand:save command, also relates only to developers and therefore is unlikely to be exploited to any serious extent, especially since developers are likely to keep their software updated.
The ActiveX Buffer Overflow vulnerability is a high-risk threat because it allows remote code execution on PCs. A flaw in Flash OCX can allow a malicious attacker to easily rewrite the data stored in the Effective Instruction Pointer (EIP). This is the location in memory where the address of the next CPU command is located. The exploit allows the attacker to cause the system to execute any malicious code that accompanies the buffer overflow attack.
More importantly, this vulnerability affects the average user’s browser and therefore has the possibility for widespread exploitation.
Applicability: Various but widespread
The ActiveX vulnerability is found in Internet Explorer only, and the other threats discovered so far only apply to developers. But, since Flash is so ubiquitous, any vulnerability in Flash can quickly become a major threat. The problem is especially severe because many people have never even heard of Flash and don’t realize it is installed in their browser. Therefore, they don’t realize they need to update it regularly. Administrators and IT support professionals must realize the threat that Flash poses to end users’ desktops and add it to the list of software that should be kept up to date.
SWF.LFM-926 threatened only those with the Flash developer player and then only if they downloaded an infected Flash file from a malicious Web site or opened an infected Flash file sent by e-mail. Since developers often e-mail sample files, this is a more serious threat than it might at first appear.
Similar mitigating factors relate to the fscommand:save command threat, with the additional benefit that this is an undocumented command, so it’s had limited use.
The ActiveX vulnerability is mitigated mostly by the fact that it is found only in Internet Explorer, so using Opera, Netscape, or another browser will provide safety from this threat. The threat is also lessened by the fact that no one seems to have released an attack based on it—yet.
SWF.LFM-926 was limited to those using the stand-alone player that’s supplied with the Flash 5 development package. According to Macromedia, the problem was fixed in Flash 6. The company also released a quick patch, the SWF Clear Utility, and a workaround that would eliminate the risk for developers still using Flash 5.
There isn’t a specific fix for the fscommand:save command threat.
To fix the ActiveX threat, you should obtain Flash 6 rev. 29 (or later) from the Macromedia site. Remember that most people don’t even know they have Flash installed on their PCs and therefore are unlikely to update it. So it’s up to you to make sure that Flash is updated on all of your users’ systems.
Why am I wasting time and column space on something that involves only simple animations or banner ads? Because Flash use is growing quickly. Flash MX is challenging Java and DHTML in an attempt to become a true universal client of the Internet. MX is the designation used for the latest release of Macromedia’s Web design tools, and Flash is becoming much more than just a nice way to design banner ads. Flash MX can add real content and power to Web pages through what Macromedia calls Rich Internet Applications (RIA).
RIA lets Flash update search results or streaming information to a Web page without reloading the entire page. Flash MX is interactive and can be used for things such as videoconferencing or real-time messaging via the Action Message Format binary code.
It’s important to note that Macromedia seems to be fully aware of the danger that unaddressed vulnerabilities can pose to a company bringing out a new Web-based application system. (Consider the challenge Microsoft faces convincing people that using .NET would be a good idea.) Macromedia was right on top of the most severe threat, the ActiveX IE browser vulnerability that would affect the average PC user. In fact, eEye reported that when it contacted Macromedia after discovering the problem, it was told that a new release was coming later that same day—a release that eEye’s testing showed had fixed the vulnerability.
Obviously, this means that Macromedia is conducting ongoing security testing and discovered the vulnerability before anyone else did. Then it went the extra mile and produced a fix. That’s something we can appreciate these days, because, unfortunately, it is rare for a company to take such a proactive stand on security.
Nevertheless, the floodgates are now open, and I expect to see a lot of attackers paying attention to Flash in the future, looking for vulnerabilities they can exploit maliciously. We simply cannot afford to ignore the Flash threat any longer.