The same-origin policy vulnerability in Adobe Flash that was disclosed last week by a researcher at Foreground Security is more serious than just a simple software flaw, experts say. It illustrates a fundamental flaw in the way that Flash objects are handled by Web servers and Web browsers, alike, leading to a serious weakness on both ends of the Internet communication channel.
In case you missed all of the excitement last week, Mike Bailey of Foreground Security published a lengthy description of several issues affecting Adobe Flash, laying out a number of scenarios in which an attacker would be able to upload a malicious Flash file to a remote server and then get that server to serve the malicious content to unsuspecting users.
A flash object does not need to be injected into a web page to
execute- simply loading the content is enough. Let’s consider the
implications of this policy for a moment: If I can get a Flash object
onto your server, I can execute scripts in the context of your domain.
This is a frighteningly Bad Thing. How many web sites allow users to
upload files of some sort? How many of those sites serve files back to
users from the same domain as the rest of the application? Nearly every
one of them is vulnerable. To be sure, any server that allows
unvalidated uploads of contents will let an attacker upload html pages
with cross-site scripting or other attacks, but SWF files do not
require a .swf extension or special content-type headers to execute.
This means that poorly validated image upload features will be
vulnerable. Also poorly validated document repositories. Also backup
services, filesharing sites, webmail applications, and more.
This is, indeed, a really bad thing. But as Rich Mogull of Securosis points out, if you’re allowing users to upload executable code to your server, you’re in serious trouble already. It’s hard to get all high and mighty about security if you’re letting people run arbitrary code on your site. The larger problem with Flash, experts say, is that attackers can take advantage of the fact that the technology pays no attention to content headers and file extensions and instead relies on the file headers to identify a given file.
This, also, is not so good. It means that once the attacker gets his file on the Web server, the file will run in the same context as the rest of the Web page, regardless of how the content is labeled by the server. Attackers also can make Flash files look like other types of content, such as a zip file, and the file will then be treated as a legitimate zip file rather than a Flash program.
Each of these issues is problematic individually. But when all of them are combined, and you add in the fact that Flash doesn’t pay attention to the same-origin policy, it adds up to a serious problem for Adobe. The vendor, however does not see it that way. In a response to Bailey’s research posted on Friday, Adobe said that the problems Bailey outlined do not represent “a vulnerability in Adobe Flash Player.”
Bailey said in an interview that he is concerned that the security team at Adobe was a bit confused about the nature of the vulnerability.
“I’m not sure that they understood the problem very well. It’s really complicated,” Bailey said. “I hope that they’ll look at it a little more closely and make some changes. They do have some smart security people there.”
Whether these issues actually meet some arbitrary definition of a vulnerability isn’t really the point; it’s still Adobe’s problem. Obviously, Web site owners are responsible for validating whatever content is uploaded to their sites, but many of these sites are designed specifically to allow users to upload as much content as possible. That’s their entire reason for being. And users don’t care whether this is technically a vulnerability or just a bad design decision. They just know that their Flash content is now highly suspect and they want it fixed.
“This isn’t an end-of-the-world kind of problem, but is serious enough
that Adobe should address it. They should force Flash to respect HTTP
headers, and could easily filter out “disguised” Flash files. Flash
should also respect the same origin policy, and not allow the hosting
site to affect the presenting site,” Mogull wrote. “This issue is definitely more serious than Adobe is saying, and
hopefully they’ll change their position and fix the parts of it that
are under their control.”