BID 24856 - Flash Player SWF Vulnerability

Mon, 23 Jul 2007 10:06:29 GMT

Stefano DiPaola, Elia Florio and Giorgio Fedon has discovered quite serious vulnerability in Adobe's Flash player. If you haven't heard about it, let me tell you something: "It is big". Read more about the vulnerability from here and here.

The video above was assembled by the Symantec guys. It shows working examples for Firefox on Windows, Safari on MacOS and Opera on Wii. Demonstration exploit code is available from SecurityFocus.

I've met Stefano and Giorgio at OWASP in Italy and they are one heck of a good guys. Actually I sort of knew that something is going on behind the scenes, since Stefano was digging into the FLV format at that time. His presentation on XSS in Flash was really good. Please check it out from here.

So how bad is this vulnerability? I must say that it is pretty bad. Notice, that the exploit runs straight from YouTube.

Giorgio MaoneGiorgio Maone
Not to play the devil's advocate, but "it WAS big". Stefano and Giorgio did responsible disclosure, thus the Flash Player plugin registered in my default Firefox profile (version 9.0r47) is not vulnerable. Since, let me see... July 10th 2007... 13 days now? Anyway Minded Security's advisory is very worth reading, many thanks for the pointer :) -- There's a browser safer than Firefox... http://noscript.net
pdppdp
Giorgio, you are right. Never the less I though it might be a good idea to mention the bug and also point out where the credits are due. :)
Giorgio MaoneGiorgio Maone
OK, I had a chance to watch the Symantec video and finally realized how really scary this bug was. The video starts with "Example 1: Windows with Firefox", but even before they open the compromised FLV, the attack has already transformed Firefox into Internet Explorer 6 for better exploitation, OMG!!! -- There’s a browser safer than Firefox… http://noscript.net
StefanoStefano
@Giorgio, even if there's a Flash player/plugin new version think about wii or smart phones with flash lite installed.... when vendors will fix it with an update? @Pdp, thank for you kind words and for this blog entry!:)
pdppdp
Giorgio, Stefano is right. It will take some time to upgrade all flash instances. So, the bug is very serious. In fact, I am sure that someone will take it and make into a worm of some sort. BTW, 10x to Stefano and his team responsible disclosure the impact is a lot less significant. Stefano, always. The research is worthed.
Giorgio MaoneGiorgio Maone
@Stefano: I agree on the impact of slow patch deployment on mobile devices, and I've been already contacted for some NoScript portings, actually. Again thanks for the responsible disclosure and for your detailed and enjoyable advisory. -- There’s a browser safer than Firefox… http://noscript.net
Awesome AnDrEwAwesome AnDrEw
Lovely example, but I wouldn't necessarily get too crazy on making the Nintendo Wii crash as it's easily done simply browsing normal pages. This is a pretty cool idea though seeing as how most services now use Flash players supporting the FLV file format, and generally use some shotty script to get the URL of the media from a variable in the address.
asciiascii
@Giorgio Maone: let me see... thanks for your understanding, responsible disclosure MEANS that "it WAS big", if not it's not responsible disclosure.