Free HP SWFScan tool detects Adobe Flash flaws

By Erin Kelly, Contributor 23 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A free Flash security tool, being released today, is designed to find and identify vulnerabilities in the source code and could speed up detection and ease the headaches caused by more manual scanning tools.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Hewlett-Packard Co. worked closely with Adobe Systems Inc. to develop SWFScan, a tool that scans all versions of Adobe Flash, decompiles the program and highlights the source code to identify between 60 and 65 vulnerabilities, said Billy Hoffman, manager of HP's Web Security Research Group.

"The tool goes in and highlights the source code that is causing the vulnerability," Hoffman said. "So we're actually highlighting it, saying, 'this line here is where you made a call to allow an insecure domain function, anybody can access it; this is a vulnerability.'"

Secure software development: Gary McGraw on secure software development: In this video, Gary McGraw of Cigital Inc. explains why better secure coding could help thwart future Web 2.0 attacks. He says the industry is making progress. New York drafts language demanding secure code: State will demand software makers certify their software does not contain the coding errors listed in the CWE/SANS Top 25 Dangerous Programming Errors. Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.

Adobe Flash has become ubiquitous on the Web, being used to show moving graphics, videos or animation on Web pages. But attackers have targeted flaws in the coding as a stepping stone to gain access to the servers behind the websites. Although there have been free tools offered in the past that will decompile some versions of Flash, SWFScan works on all versions of Flash, old and new, Hoffman said. SWFScan is also developer-friendly. Similar tools, such as the SWFIntruder, are more manual and require a Mozilla Firefox plug-in. The SWFScan is a true standalone tool, he said.

"We are analyzing [the source code] to find vulnerabilities, so [the tool] actually goes through the code and looks at what variables are being used in what functions, this is one of the differentiating factors," Hoffman said.

Prajakta Jagdale, a senior security research engineer who developed SWFScan, said static analysis is another component of the tool that sets it apart from other free scanners. Jagdale spoke briefly about the tool's release last month during a presentation at the Black Hat DC conference in Arlington, Va.

When you utilize SWF applications within your website or have banner advertisements on your website, you can't just assume they are secure, Jagdale said. With SWFScan, an individual can double check for any vulnerabilities.

Jagdale said the remediation report that follows the vulnerability detection states what the vulnerability is, the type of exploit that can take advantage of it, and how to fix the problem. The tool does not fix any of these errors, but gives the user the guidance to fix them, she said.

"The key is the advice we're giving is Adobe's best security practices," Jagdale said. "Adobe's advice is really embedded in the tool concerning remediation."

On average the tool scans and highlights the source code in less than a minute, Jagdale said.

Hoffman said the tool does not look for vulnerabilities inside the Flash plug-in itself.

"We're not analyzing the player, we're analyzing the program," he said. "We're not looking at everything on the server; we're not testing those end points of the server for SQL injection. We're pretty much only looking at Flash applications that run inside the browser."

SearchSecurity radio:

Cross-site scripting, cross-domain privilege escalation and user input that is not validated are examples of security vulnerabilities that could be targeted by malicious hackers, resulting from errors in the source code -- errors the tool can detect, Hoffman said.

"I would suggest to use [the tool] whenever you've made significant changes to your application," Hoffman said. "Every time there's an update to the code, even if there's only supposed to be a minor update. It runs so quickly, you might as well use it."

The SWFScan is targeted at developers, but is also for those who conduct code reviews such as members of a security department within an organization and third-party consultants, Hoffman said.

"The real problem is that developers know about security practices and are aware of the documents that explain how to fix problems, but they often don't do it, or only think they've done it and think they're secure [when they really are not]," Hoffman said. "The SWFScan provides a check and balance."

Tags: Security Testing and Ethical Hacking,  Software Development Methodology,  Vulnerability Risk Assessment,  Open Source Security Tools and Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Testing and Ethical Hacking Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cyber Storm  (SearchSecurity.com) ethical hacker  (SearchSecurity.com) ethical worm  (SearchSecurity.com) gray hat  (SearchSecurity.com) honey pot  (SearchSecurity.com) honeynet  (SearchSecurity.com) war dialer  (SearchSecurity.com) white hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary