Black Hat 2010: New Firefox tool to clean Adobe Flash file errors

Browser-based add-on, Blitzableiter, cleans SWF files prior to running on a user's computer. The tool will be released at Black Hat 2010 in Las Vegas.

A security researcher plans to unveil a new Web browser add-on that cleans Adobe Flash code before a video can be played back, preventing attackers from targeting Adobe Flash file errors.

I have high hopes that it will automatically remove a large section of the attacks against Flash.
Felix "FX" Lindner,
 technical and research leadRecurity Labs

Felix "FX" Lindner of German-based security firm, Recurity Labs, plans to present the new tool, Blitzableiter (lightening rod), at Black Hat 2010 in Las Vegas. An early version of the tool was presented last December at the 26th Chaos Communication Congress (26C3) in Berlin, Germany. When released, the tool will become a component within NoScript, a Mozilla Firefox add-on that protects against cross-site scripting and clickjacking attacks.

"I have high hopes that it will automatically remove a large section of the attacks against Flash," Lindner said in an interview with SearchSecurity.com. "This defense is unique in that there's no signatures involved. We based everything on principles and not attack signatures."

Adobe Systems Inc. has struggled to address holes in its Flash Player, targeted almost constantly by attackers due to its large market share. Flash is ubiquitous on the Web, used by millions to play video content or render Flash-based, interactive webpages and advertising banners. The idea for the new tool was born out of a 2008 study analyzing rich application frameworks, conducted by Recurity Labs for the German government. Recurity found that Flash lagged far behind the Silverlight and Java frameworks, Lindner said.

Adobe Flash file errors:
Free HP SWFScan tool detects Adobe Flash flaws: SWFScan is aimed at developers and analyzes Adobe Flash to identify dozens of source code errors.

Clickjacking details released after attack proof-of-concept emerges:Security researchers released details of clickjacking attacks in 2008, warning of the seriousness of the problem.

Microsoft, Symantec reports mirror global information security trends: Vulnerability disclosures are trending downward prompting cybercriminals to use more targeted attacks. Attack toolkits gain sophistication and target Adobe Flash and browser component errors. 

 

"We came to the realization that building defenses in this area is more challenging than finding another exploit," Lindner said. "Many of the problems we see in Flash are actually design related."

The Blitzableiter tool can be used by developers prior to making the code live on a website or as a browser-based plug-in. It can check Shockwave Flash (SWF) files on websites or embedded in PDF files. It acts as a normalization engine, checking the entire Flash file for code abnormalities. When used as a browser plug-in, the tool will process the Flash files and then display the clean files in the original Flash Player within the browser. For example, the tool can check redirects within webpage advertising banners to ensure they don't send users to a malicious website.

"We're not patching stuff out, we're patching additional checks in," Lindner said. "We will add another check in front of an instruction to verify the destination being used in a banner."

Rich Internet applications pose a threat because they expand the capabilities of the browser by adding functionality that was intentionally left out of browsers. Application development platforms let developers add functionality for additional media, providing a virtual machine that is supposed to enable the code to operate in a sandbox environment for security. But Lindner said that's where security for Flash has broken down. The functionality exposed within the sandbox to parse audio, video and graphical files is often everything the attacker needs to break into a system, he said.

"The sheer amount of code that you have to write to parse these files increases the attack surface dramatically," Lindner said.

Lindner said there are two classes of attacks. The first attack targets the Flash runtime and parsers. The attacker finds a vulnerability in one of the parsers, typically an integer or buffer overflow, and creates a malicious file that is downloaded to a victim's machine. The other attack is used in click fraud, using the APIs within a SWF file to create clicks for an advertisement or Web banner connected to ad networks. The tool won't protect against all attacks against Flash. Heap Spraying and Flash API overflows remain a problem.

"There was a lot of work involved, but we're confident that it could help remove most attacks targeting Flash," Lindner said. "It's one of the newest defenses that we've got."

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close