For years now, Adobe Flash files have been a very useful attack vector for hackers and a serious security problem for end users and IT departments. Now, a German researcher is planning to unveil a new browser plug-in designed to prevent many common types of Flash attacks.
The plug-in, called Blitzableiter, doesn’t implement a signature-based defense against Flash attacks, but instead looks deeply at the code contained within the Flash files and looks to sanitize the code before it is executed on the user’s machine. The tool essentially parses the entire SWF file that’s encountered by the browser, drops the original file and loads the parsed code into a new, safe SWF file.
Blitzableiter is the brainchild of Felix Lindner, a security researcher at Recurity Labs, and the tool will be released at the upcoming Black Hat briefings in Las Vegas later this month. Blitzableiter will be released as a plug-in for Firefox.
The new approach to defending against Flash-based attacks is predicated upon the structure of Flash files themselves and the Flash player. The Flash player contains two virtual machines and Blitzableiter goes through and verifies that all of the data in a given file not only conforms to the SWF file specification, but also that the virtual machine code does exactly what it says it will do and nothing else.
Lindner, also known as FX, presented his approach to Flash security at a German security conference late last year. In the slides for the conference he states that the approach he took with Blitzableiter is designed to address fundamental weaknesses in the way that other defenses against Flash attacks work currently.
“Static analysis will provably not be able to determine what the code is actually doing,” he said in the presentation.
Adobe has been under the microscope for security weaknesses for some time now, and is in the middle of a software security initiative and an effort to change the way it gets patches and other updates to users. Flash often is a target of Web-based exploits as it runs on hundreds of millions of PCs around the world. It also is a key component of most Web advertising content, which can be used in attacks that redirect users to multiple sites and serve malware and other Web-based exploits.
During testing of the tool, which will be open source, Lindner threw 20 pieces of live malware at Blitzableiter, which rejected all of them for various reasons, including file format violations and code violations. But he concedes that the new tool won’t catch every kind of attack, including heap-spraying attacks and others.
Rob Westervelt at SearchSecurity.com spoke with Lindner about Blitzableiter. “There was a lot of work involved, but we’re confident that it could
help remove most attacks targeting Flash,” Lindner told Westervelt. “It’s one of
the newest defenses that we’ve got.”