A security researcher plans to unveil a new Web browser add-on that cleans Adobe Flash code before a video can be played back, preventing attackers from targeting Adobe Flash file errors.
Felix "FX" Lindner of German-based security firm, Recurity Labs, plans to present the new tool, Blitzableiter (lightening rod), at Black Hat 2010 in Las Vegas. An early version of the tool was presented last December at the 26th Chaos Communication Congress (26C3) in Berlin, Germany. When released, the tool will become a component within NoScript, a Mozilla Firefox add-on that protects against cross-site scripting and clickjacking attacks.
"I have high hopes that it will automatically remove a large section of the attacks against Flash," Lindner said in an interview with SearchSecurity.com. "This defense is unique in that there's no signatures involved. We based everything on principles and not attack signatures."
Adobe Systems Inc. has struggled to address holes in its Flash Player, targeted almost constantly by attackers due to its large market share. Flash is ubiquitous on the Web, used by millions to play video content or render Flash-based, interactive webpages and advertising banners. The idea for the new tool was born out of a 2008 study analyzing rich application frameworks, conducted by Recurity Labs for the German government. Recurity found that Flash lagged far behind the Silverlight and Java frameworks, Lindner said.
"We came to the realization that building defenses in this area is more challenging than finding another exploit," Lindner said. "Many of the problems we see in Flash are actually design related."
The Blitzableiter tool can be used by developers prior to making the code live on a website or as a browser-based plug-in. It can check Shockwave Flash (SWF) files on websites or embedded in PDF files. It acts as a normalization engine, checking the entire Flash file for code abnormalities. When used as a browser plug-in, the tool will process the Flash files and then display the clean files in the original Flash Player within the browser. For example, the tool can check redirects within webpage advertising banners to ensure they don't send users to a malicious website.
"We're not patching stuff out, we're patching additional checks in," Lindner said. "We will add another check in front of an instruction to verify the destination being used in a banner."
Rich Internet applications pose a threat because they expand the capabilities of the browser by adding functionality that was intentionally left out of browsers. Application development platforms let developers add functionality for additional media, providing a virtual machine that is supposed to enable the code to operate in a sandbox environment for security. But Lindner said that's where security for Flash has broken down. The functionality exposed within the sandbox to parse audio, video and graphical files is often everything the attacker needs to break into a system, he said.
"The sheer amount of code that you have to write to parse these files increases the attack surface dramatically," Lindner said.
Lindner said there are two classes of attacks. The first attack targets the Flash runtime and parsers. The attacker finds a vulnerability in one of the parsers, typically an integer or buffer overflow, and creates a malicious file that is downloaded to a victim's machine. The other attack is used in click fraud, using the APIs within a SWF file to create clicks for an advertisement or Web banner connected to ad networks. The tool won't protect against all attacks against Flash. Heap Spraying and Flash API overflows remain a problem.
"There was a lot of work involved, but we're confident that it could help remove most attacks targeting Flash," Lindner said. "It's one of the newest defenses that we've got."