Wednesday, December 30, 2009

26C3: Protection Against Flash Security Holes

Via -

Felix "FX" Lindner of
Recurity Labs presented his open source "Blitzableiter" (lightning rod) project at the 26th Chaos Communication Congress (26C3). The tool analyses and cleans up Flash code before playback and is designed to prevent security holes in Adobe Flash from being exploited. Flash is one of the most commonly used points of entry for attackers who try to compromise PCs during visits to web pages.

To prevent the frequently recurring security issues in Adobe's software from being exploited, the Blitzableiter tool checks SWF files for their integrity. Embedded ActionScript code is detected, analysed and cleaned up. The wrapper can also verify whether embedded objects such as JPEG images comply with the specification.

However, Flash malware tends to use the multimedia format within its specification, for example to simulate clicks on ads or redirect users to pages that try to make them install alleged virus scanners which turn out to be scareware. To prevent this, the wrapper redirects certain security-related function calls, such as
ActionGetURL2 for opening web pages, to its own code, which can then monitor it use with mechanisms such as a same origin policy. The tool can reportedly even prevent CSRF attacks that, for instance, allow small Flash movies to secretly reconfigure a router.

To ensure that Blitzableiter was doing its job well, the security expert checked it with 20 real, functionally different exploits. None of them slipped through the tool's net. One problem with the concept is, however, that legitimate Flash files may no longer function correctly; in a test involving a set of 95,000 SWF files, 92 per cent passed the format check, but only 82 per cent survived the entire debugging procedure. However, larger Flash portals such as YouTube or YouPorn remain functional without restrictions, said Lindner.

No comments:

Post a Comment