WOW MACROPEDIA SOFTWARE
Įxploits in Flash Golden Rules of Security: #1 – Software Developers Always Make Mistakes. One zero day in Flash, 850 million exploitable devices. Do Adobe follow a decent secure coding methodology? Adobe make apps like Photoshop do they take internet security seriously? Flash Plug-in is Critical Browser Infrastructure. Quickly implemented features tend to contain bugs, exploits. Adobe Acrobat exploit anyone? ActionScript is complex. Vast history of Adobe/Macromedia security issues. 850 million devices which support a language (ActionScript) Language first developed by Macromedia, and now Adobe.
Who Why How What of Flash Flash is a Powerful Attack Vector. Cross-platform (Windows, OSX, Linux, HP-UX, PPC) “ I would probably open that” “ I probally shouldn’t, aye” Supported by 850 million internet connected desktops. JIT compilation for new Flash Virtual Machine (AMV2) Binary sockets (Connect to a port, send/retrieve data) 10% of API is still undocumented! ActionScript has matured into a flexible/powerful language. Who Why How What of Flash ActionScript v3, 2006-Today Compile-time and runtime type validation Support for packages, namespaces and regular expressions. Compile-time type checking implemented, strict variable typing. ActionScript v2, 2003-2006 Flash is being used for complex applications! Developers demanded more functionality. Prototype-oriented programming (No class support). JavaScript like language with simple functionality. Flash 4 ‘Actions’ (Macros) expanded into ActionScript v1 in Flash 5. Who Why How What of Flash ActionScript was developed from a feature in Flash 4, 7 years ago. Larger more complete API, access to host functionality. Standalone Flash: Compiled PE executables with embedded ActionScript player. Reduced functionality API, no access no host functionality. Web Flash Content: ActionScript executed by a browser plug-in/ActiveX control.
ActionScript API is segregated into two streams. Macromedia was purchased by Adobe in 2005 ($3.4 billion!) Flash logic is developed in ActionScript Originally based on ECMAScript/JavaScript. Who Why How What of Flash Everything you wanted to know about Flash: Originally developed by Macromedia in early 2000’s. If I sent you a link to funnygame.exe, would you run it? “Nope.” How about funnygame.swf “I would probably open that” Flash is considered harmless, “It’s a funny game or joke” My Question: What are the incurred risks of running Flash content? How easily can Flash be used as an attack vector? Probability of getting pwned through a malicious SWF? Overview “ Wow, Macromedia/Adobe Flash is everywhere on the internet!” YouTube, FaceBook, MySpace, CNN, Ebay, etc I Wonder, do internet users implicitly trust Flash content? The Litmus Test: My Wife, Kim. My Role Application Penetration Tester “ I break the crack-headed ideas of developers.” Comments, Questions, Feedback? Email: Who Am I? Paul Craig, Principal Security Consultant - Author, hacker, active security researcher. Hacking The World With Flash: Analyzing Vulnerabilities in Flash and the Risk of Exploitation OWASP 29/2008 Paul Craig