Page 3 of 4

Re: Adobe is not willing to fix Flash security issues.

Posted: Sun Dec 13, 2009 4:06 pm
by josh
Oh ok, I wasn't sure if they were a PHP thing or a REGEX thing. Now I see your double quotes.

Re: Adobe is not willing to fix Flash security issues.

Posted: Sat Dec 19, 2009 12:40 am
by josh
I keep submitting this to them in the bug tracker, sometimes multiple times per day. I am starting threads in their forums about it now. Now you do not seem so irrational to me for starting this thread. I don't know whats more infuriating, that they introduced this exploit in the first place, or that they are not escalating the issue to someone who actually knows their head from their ass. All they've done is make that blog post you linked to, which we already proved is full of inconsistencies.

Re: Adobe is not willing to fix Flash security issues.

Posted: Sat Dec 19, 2009 3:18 am
by kaisellgren
josh wrote:I keep submitting this to them in the bug tracker, sometimes multiple times per day. I am starting threads in their forums about it now. Now you do not seem so irrational to me for starting this thread. I don't know whats more infuriating, that they introduced this exploit in the first place, or that they are not escalating the issue to someone who actually knows their head from their ass. All they've done is make that blog post you linked to, which we already proved is full of inconsistencies.
It feels like I wrote that...

By the way, there's one thing I noticed, if you use Chrome's Flashblock, you are not safe, because it just hides the Flash - doesn't block it. Just something you guys should be aware of.

Re: Adobe is not willing to fix Flash security issues.

Posted: Sat Dec 19, 2009 8:08 pm
by daedalus__
kaisellgren wrote: 4) Look for the three first bytes in the file if they are 0x46 0x57 0x53 or 0x43 0x57 0x53.
that's the only way to identify a swf ? three bytes?

i don't use flash so i don't have a copy of it but that seems kind of ridiculous. how did you identify those sequences?

Re: Adobe is not willing to fix Flash security issues.

Posted: Sat Dec 19, 2009 8:16 pm
by daedalus__

Re: Adobe is not willing to fix Flash security issues.

Posted: Sun Dec 20, 2009 12:28 am
by josh
Cool, I send them feedback thru that email address

viewtopic.php?f=34&t=109319&st=0&sk=t&sd=a
Looks like there is a problem with the swf player format. The swf player ignores mime types which creates a security nightmare. Any programmer will tell you a security model which requires a blacklist to work is broken. If by allowing myself to accept jpeg uploads, I open myself up to hosting flash (proof of concept in thread, exploited against YOUR server nonetheless!)

Why won't Adobe take this seriously? Is there some sort of plot by Adobe to ruin the internet? Did Al Qaeda pay you guys to add this "feature"? Since you guys have not gone on record about this issue specifically, we will assume its Al Qaeda

Re: Adobe is not willing to fix Flash security issues.

Posted: Sun Dec 20, 2009 5:05 am
by kaisellgren
You could write a complex parser to detect SWF files... good luck with that... maybe port the Flash parser entirely to PHP? :P

Re: Adobe is not willing to fix Flash security issues.

Posted: Sun Dec 20, 2009 10:19 pm
by Benjamin
The character length of the responsible party is more than likely 3.

Re: Adobe is not willing to fix Flash security issues.

Posted: Thu Jan 14, 2010 8:46 am
by Charles256
I know this is old but did it ever get resolved Josh? I'm building a site that allows users to upload swf's and I'd like to know what I need to keep my eyes open for.

Re: Adobe is not willing to fix Flash security issues.

Posted: Thu Jan 14, 2010 12:28 pm
by kaisellgren
Charles256 wrote:I know this is old but did it ever get resolved Josh? I'm building a site that allows users to upload swf's and I'd like to know what I need to keep my eyes open for.
Serve the files through a throw-away domain. That's the best thing to do.

Re: Adobe is not willing to fix Flash security issues.

Posted: Thu Jan 14, 2010 12:30 pm
by Charles256
What do you mean by a throw away domain? Got time to provide a brief example or did I read over one on accident? Last question being, I take it by your response this issue has still not been resolved?

Re: Adobe is not willing to fix Flash security issues.

Posted: Fri Jan 15, 2010 3:29 am
by josh
You don't need to be able to "throw it away", it just needs to be different and used for nothing else but hosting the .swfs is what he means.

And the fact that your site allows .swf to be uploaded is kinda irrelevant, you should do this for *all* files I think is the general consensus, the only files that should be served on your main domain are ones that have undergone heavy white listing (like opening and resizing a jpg). The security flaw at hand is that even if you did not allow .swf, someone could just rename it to .zip for instance and upload it (lots of sites allow any file format like that, like most webmail apps)

Even if they fix it anytime soon it will be years before people upgrade their flash players

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 10, 2010 1:30 am
by josh
Got them to crack :twisted:
Dear Josh,



My name is *********– I’m an engineer on the Flash Player team here in San Francisco, CA. I am not on the security team, so clearly my perspective will be limited. However I can pass questions and concerns to folks on that team.



I am looking at bug reports and came across the ones you filed related to security.



After reading some of your all-caps comments, my coworkers suggested I don’t write you. Suggesting that if I did it’s because I like pain!



Well I don’t like pain but I would like to hear more of your thoughts. Clearly you are intelligent and astute and passionate.



To use some of your words from the forum entries you linked to: “No wonder Adobe has put you on ‘ignore’”…



We don’t intentionally ignore anyone, but, obviously we’re just people who’d rather investigate issues reported to us professionally. Being called a “liar” isn’t going to get very far! ;)



Anyway, I went and got a response to your issues from someone on the security team.



Basically they claim this is not merely a Flash issue, but rather a web issue. They say browsers don't enforce strict content types for media either: it's a problem that both browser vendors and Adobe are examining in order to come to a proper solution.



Long-story short, the security team is fully aware of these issues, and are in constant contact with the major browsers regarding this and other things.



(At the moment they are heads down working on our beta – so they aren’t responding to user email reports. That’s why you got me.)



Kind regards,

********************

Software Engineer, **********

Flash Player

Adobe Systems, Inc.


My response 1:
Hey ******,



Basically they claim this is not merely a Flash issue, but rather a web issue. They say browsers don't enforce strict content types for media either: it's a problem that both browser vendors and Adobe are examining in order to come to a proper solution.

It comes down to this.

1) You guys made a program that has special privileges to communicate with the same domain.
2) You made an assumption that as long as someone "doesn't whitelist" this new medium its not going to affect them
3) that assumption was wrong because someone who was only trying to accept .zip, or .jpg files now is forced to accept .swf files, as demonstrated when my friend hacked your guys photoshop.com web app and used it to read out customer's serial #s.

Long-story short, the security team is fully aware of these issues, and are in constant contact with the major browsers regarding this and other things.

If they are fully aware they should release an update immediately that warns the user if a content type header was not sent. Improperly configured servers would then cause a prompt to be raised by the client's flash player, however this will get everyone to use the right content type headers. It will also solve your problems. Something like:

"This flash content was not served with a proper header, because of this a third party may have compromised the website you are on".

I mean come guy guy. Photoshop.com was hacked, at least secure your guy's own site. If you could also pass the message along so the rest of the interweb isn't "left hanging" that would be great.



(At the moment they are heads down working on our beta – so they aren’t responding to user email reports. That’s why you got me.)

Pretty sad if new functionality is more important than potentially *billions* in liabilities. Just how many photoshop serial #s got stolen? How many 100s of thousands did THAT cost you?

Josh
My response2
Let me provide another example because you guys clearly don't understand.

If I go to photoshop.com and trick you guys into hosting a maliscous .js file, that does not compromise you
If I hotlink photoshop.com/myHackedJs.js from my blog and send you to my blog, that JS does not harm photoshop.com, only hurts myself

However with flash you can basically throw that assumption out of the water.

If I trick you guys into hosting photoshop.com/myHackedSwf.swf and hotlink it from my blog, suddenly I send you a link to my blog and photoshop.com is compromised ( let me clarify that again, if you had valid cookies from photoshop.com and are browsed to blog.com, that swf is still within the "container" of photoshop.com).

In your press release you said "Same domain as HTML around it is hosted on". This contradicts my observations which are SOP activates as long as the SWF ITSELF is hosted on the same domain.

It should take into account the html around it, or do the prompt described in previous correspondence.

Yours Truly

Josh Ribakoff

PS > Feel free to visit my great blog http://www.joshribakoff.com (make sure you're logged in to the main admin for adobe.com first plz)

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 10, 2010 3:51 am
by timWebUK
You make fair points but honestly, you won't get taken very seriously the way you've worded your emails and pretty much shouted at them. They want bug reports and correspondence from professionals, not someone shouting at them, telling them everything is wrong.

If you want it to be fixed you have to be polite, professional and helpful...

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 10, 2010 8:29 am
by josh
:roll: shouting? If someone is putting themselves directly into harms way why wouldn't you "shout" at them to warn them?

I sent them a pretty objective civil email if you ask me, with some light humor. Obviously you are wrong because we all filed bug reports that they promptly ignored. Not until we raised a ruckus on the bug tracker & forums months later did they decide they wanted to address the issue.

The essence of a bug report is to inform them of a mistake. I'm sure they aren't offended that its "w rong". They simply don't understand the issue at hand, and lack the escalation policy to take the issue seriously. As they have stated the security team is too busy to work on it because they have a new beta or some thing. So typical.

The issue is not who is and is not shouting though, the issue is a security flaw in the software that needs to be fixed.