Re: Adobe is not willing to fix Flash security issues.
Posted: Sun Dec 13, 2009 4:06 pm
Oh ok, I wasn't sure if they were a PHP thing or a REGEX thing. Now I see your double quotes.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
It feels like I wrote that...josh wrote:I keep submitting this to them in the bug tracker, sometimes multiple times per day. I am starting threads in their forums about it now. Now you do not seem so irrational to me for starting this thread. I don't know whats more infuriating, that they introduced this exploit in the first place, or that they are not escalating the issue to someone who actually knows their head from their ass. All they've done is make that blog post you linked to, which we already proved is full of inconsistencies.
that's the only way to identify a swf ? three bytes?kaisellgren wrote: 4) Look for the three first bytes in the file if they are 0x46 0x57 0x53 or 0x43 0x57 0x53.
viewtopic.php?f=34&t=109319&st=0&sk=t&sd=a
Looks like there is a problem with the swf player format. The swf player ignores mime types which creates a security nightmare. Any programmer will tell you a security model which requires a blacklist to work is broken. If by allowing myself to accept jpeg uploads, I open myself up to hosting flash (proof of concept in thread, exploited against YOUR server nonetheless!)
Why won't Adobe take this seriously? Is there some sort of plot by Adobe to ruin the internet? Did Al Qaeda pay you guys to add this "feature"? Since you guys have not gone on record about this issue specifically, we will assume its Al Qaeda
Serve the files through a throw-away domain. That's the best thing to do.Charles256 wrote:I know this is old but did it ever get resolved Josh? I'm building a site that allows users to upload swf's and I'd like to know what I need to keep my eyes open for.
Dear Josh,
My name is *********– I’m an engineer on the Flash Player team here in San Francisco, CA. I am not on the security team, so clearly my perspective will be limited. However I can pass questions and concerns to folks on that team.
I am looking at bug reports and came across the ones you filed related to security.
After reading some of your all-caps comments, my coworkers suggested I don’t write you. Suggesting that if I did it’s because I like pain!
Well I don’t like pain but I would like to hear more of your thoughts. Clearly you are intelligent and astute and passionate.
To use some of your words from the forum entries you linked to: “No wonder Adobe has put you on ‘ignore’”…
We don’t intentionally ignore anyone, but, obviously we’re just people who’d rather investigate issues reported to us professionally. Being called a “liar” isn’t going to get very far!
Anyway, I went and got a response to your issues from someone on the security team.
Basically they claim this is not merely a Flash issue, but rather a web issue. They say browsers don't enforce strict content types for media either: it's a problem that both browser vendors and Adobe are examining in order to come to a proper solution.
Long-story short, the security team is fully aware of these issues, and are in constant contact with the major browsers regarding this and other things.
(At the moment they are heads down working on our beta – so they aren’t responding to user email reports. That’s why you got me.)
Kind regards,
********************
Software Engineer, **********
Flash Player
Adobe Systems, Inc.
My response2Hey ******,
Basically they claim this is not merely a Flash issue, but rather a web issue. They say browsers don't enforce strict content types for media either: it's a problem that both browser vendors and Adobe are examining in order to come to a proper solution.
It comes down to this.
1) You guys made a program that has special privileges to communicate with the same domain.
2) You made an assumption that as long as someone "doesn't whitelist" this new medium its not going to affect them
3) that assumption was wrong because someone who was only trying to accept .zip, or .jpg files now is forced to accept .swf files, as demonstrated when my friend hacked your guys photoshop.com web app and used it to read out customer's serial #s.
Long-story short, the security team is fully aware of these issues, and are in constant contact with the major browsers regarding this and other things.
If they are fully aware they should release an update immediately that warns the user if a content type header was not sent. Improperly configured servers would then cause a prompt to be raised by the client's flash player, however this will get everyone to use the right content type headers. It will also solve your problems. Something like:
"This flash content was not served with a proper header, because of this a third party may have compromised the website you are on".
I mean come guy guy. Photoshop.com was hacked, at least secure your guy's own site. If you could also pass the message along so the rest of the interweb isn't "left hanging" that would be great.
(At the moment they are heads down working on our beta – so they aren’t responding to user email reports. That’s why you got me.)
Pretty sad if new functionality is more important than potentially *billions* in liabilities. Just how many photoshop serial #s got stolen? How many 100s of thousands did THAT cost you?
Josh
Let me provide another example because you guys clearly don't understand.
If I go to photoshop.com and trick you guys into hosting a maliscous .js file, that does not compromise you
If I hotlink photoshop.com/myHackedJs.js from my blog and send you to my blog, that JS does not harm photoshop.com, only hurts myself
However with flash you can basically throw that assumption out of the water.
If I trick you guys into hosting photoshop.com/myHackedSwf.swf and hotlink it from my blog, suddenly I send you a link to my blog and photoshop.com is compromised ( let me clarify that again, if you had valid cookies from photoshop.com and are browsed to blog.com, that swf is still within the "container" of photoshop.com).
In your press release you said "Same domain as HTML around it is hosted on". This contradicts my observations which are SOP activates as long as the SWF ITSELF is hosted on the same domain.
It should take into account the html around it, or do the prompt described in previous correspondence.
Yours Truly
Josh Ribakoff
PS > Feel free to visit my great blog http://www.joshribakoff.com (make sure you're logged in to the main admin for adobe.com first plz)