Comments for Flash Origin Policy Issues at http://www.foregroundsecurity.com , comment 1 to 59 out of 20 comments http://www.foregroundsecurity.com Tue, 09 Mar 2010 22:52:51 +0100 FeedCreator 1.7.3 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-87 Sorry bit misunderstood there - I mean why can't only a malicious file be sent to the [url]http://www.elittravestiler.com[/url] victim, doing all those things, as I mentioned... - travesti Tue, 09 Mar 2010 01:07:29 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-81 Good post, thank you for sharing. - Sharedtut Wed, 03 Feb 2010 05:58:36 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-73 In other news Adobe is also responsible for Google's Chinese resources being hacked. It is pretty lame this very detailed post is sitting here and Adobe still has not addressed it. - Josh Ribakoff Thu, 14 Jan 2010 01:48:33 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-68 I see that you have no idea about the Flash Security model. You offer solution by suggesting to block Flash sites. How about turning off your own computer. It would solve the whole problem from the root. I can't believe there are other authors refering your site about the Flash Security. - Ozgur Uksal Mon, 21 Dec 2009 19:16:08 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-64 [b]Is there anything better for IE8 then Toggle Flash?[/b] - E-TARD Mon, 23 Nov 2009 10:15:00 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-61 The people at Bugtraq disagree with your classification of this as a security vulnerability: So-Called Flash Vulnerability Retired by SecurityFocus http://blogs.pcmag.com/securitywatch/2009/11/so-called_flash_vulnerability.php - SecGuy123 Tue, 17 Nov 2009 12:19:56 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-60 Why is the zip attack Adobe's fault? Zip files typically start with "PK", followed some bytes, followed by a manifest file, etc. So lets say, you prepend a SWF to the ZIP file. Why is the ZIP parser ignoring the hundreds of bytes of SWF data at the front of the file? Shouldn't the ZIP parser be enforcing its file format? I really doubt the MS docx parser is that forgiving. - SecGuy123 Mon, 16 Nov 2009 13:21:57 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-59 Sorry bit misunderstood there - I mean why can't only a malicious file be sent to the victim, doing all those things, as I mentioned... - Elad Mon, 16 Nov 2009 10:57:23 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-58 Hi Mike, you mentioned: "It required uploading the SWF to my own account, then logging the victim into that account (via CSRF), loading the SWF into the browser.." I don't understand why in order to exploit this can't an malicious file (Loading the policy in the exploit site) along with a link to open the exploit site (the exploit site can be opened by the flash). This way only flash file needs to be sent and loaded by the user, the policy of the flash file will enable to send information to the exploit site. - Elad Mon, 16 Nov 2009 10:55:12 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-57 Could you please provide some more detail how it can affect server side? - code_46 Mon, 16 Nov 2009 02:55:36 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-56 Oh, to explain what @kuza55 said.. you were able to login your victim to a googleApps account to exploit this vulnerability ( mail.google.com/a/attacker.com ). So, the victim keeps his google.com session, and gets a new googleApps/attacker.com session, and you exploit on mail.google.com/a/attacker.com so then you get both sessions.. You can further improve the stealthiness of this attack using google's data export API. And yeah, this is not a new attack, actually, this a less-dangerous version of the above mentioned attack.. anyway, I guess you didn't know about it.. that happens when you dont visit slackers hehe.. Greetz!! PS. dude, you require to enable JS to post a comment? ... - sirdarckcat Sun, 15 Nov 2009 07:43:45 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-55 Wooohooo, yet another piece of work that has already been published more than a year ago, you must be so proud. *rolls eyes* Also, weaponised exploits have been made for this which do not require the elaborate social engineering described here (18 months ago, in fact). (I thought of this approach, but decided it wasn't going to pass the "Would I get anyone who wouldn't just run my exe?" test, so I spent a few more months puzzling over it, and eventually made a real exploit) - kuza55 Sun, 15 Nov 2009 01:54:21 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-54 As a flash developer, I must say that trying to make even content on the save server require crossdomain policy files, will create a situation where most websites will just have a defualt "allow all" setting on their website, and people will just be more vulnerable to attacks, not less. If you make it too hard for the owner of a house to unlock his door, he'll just leave the door unlocked all the time. - guest Sat, 14 Nov 2009 18:13:25 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-53 I don't get how this has anything to do with Flash? This seems to be general browser security issues that CAN be exploited by either the Flash Player or a Javascript, based on security context. This really seems vague and poorly researched? > Actionscript can execute javascript using ExternalInterface Mike - this is incorrect. For a SWF to do this, it must be embedded with the "allowscriptaccess" parameter. It's the browser that then allows communication between Flash and the HTML container. In other words, one would need to be able to upload ANY html + swf to do this. If that is possible on a server, the sysadm would have a problem and Flash wouldn't have anything to do with it. > Alice's Flash plugin finds a SWF inside the .gif response and executes it. Peter - this is incorrect. It's the browser that enables the plugin for the appropriate objects in a page. If the browser displays the gif using the Flash Plugin, it's certainly the fault of the browser and not the Flash plugin. In general, it seems that the author believes that any SWF on a domain can upload content to that domain? That's not how it works. Something have to be at the other end (the server) to catch the file and admins fully control that. J - Jensa Sat, 14 Nov 2009 09:12:39 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-52 Adobe's Secure Software Engineering Team has posted [url=http://blogs.adobe.com/asset/2009/11/flash_content_and_the_same-ori.html]a blog about this[/url]. - James Ward Sat, 14 Nov 2009 07:43:59 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-51 ReallyEvilCanine, I run IE5, IE6, IE7, and IE8 all on the same XP Pro desktop here when I am doing web development. I just run then all in different VirtualBox VMs. IE5 runs on a Win2k Pro VM, IE6 runs on an XP Pro VM, IE7 runs on the host (also XP Pro), and IE8 runs on a Win7RC VM. I have had them all running simultaneously and really not had any performance issues. My box is not a honking powerhouse, either, just a three-year-old Athlon 64 X2 (2ghz) with 4gb RAM. It would be fairly easy IMHO for you to download the free version of VirtualBox and install an XP Pro VM on which you ran your IE6 app. This would have the added advantage of allowing you to sandbox the vulnerable IE6 away from your main desktop. VBox supports sharing folders on the host and it recognizes local USB and other devices, so you can print locally or to a networked printer easily. HTH, Angus - Angus Scott-Fleming Sat, 14 Nov 2009 04:43:47 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-50 VM wrote: ""What's interesting is that YouTube uses flash to deliver it's content. Watching that video could have been the thing that crashed you system just now."" No. Why not? Simple, the SWF has been created by YouTube, the user uploaded content is only the Video file, that is loaded by this SWF. And exact that is the filter, that protects the viewer here, as every uploaded video goes through a reencoding/compression process on the YouTube-server. That reencoding/compression process kills anything executable inside the uploaded video, the worst thing, that could happen is a unusable, unviewable video. Regards Nohab. - Nohab Fri, 13 Nov 2009 20:55:05 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-48 For real! Put this to rest already! Read the comments and realize that the title was completely off the point. - Ankorman Fri, 13 Nov 2009 12:46:00 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-47 Quoted "Peter" -- 5) At this point, Alice's browser, expecting a SWF, requests upload1.gif from forums.example.org. 6) Alice's Flash plugin finds a SWF inside the .gif response and executes it. --Quote Oh does it now? Or is this IE-only issue? I think it can't be even IE issue. You should try this out, because Firefox doesn't do this. I don't know how Adobe Flash player determines whether to open a given file or not, but if it's based on actually determining the file's content itself, then it is for real Adobe's fault and should be fixed. Though I find this highly unlikely, when a program expects a file to be in one format, it really should just go about showing it the way it can, not trying to "hey maybe it's a new exploit which I can trip on.. lemme see if this valid executable file contains content that I can run" On the other hand if the Flash player trusts the Content-Type it has been given by the WWW-server which says the content-type of the file is Flash even though it clearly starts as an image, it a bug in the browser or the WWW-server (or the library the originator uses to detect file format). - Ankorman Fri, 13 Nov 2009 12:44:04 +0100 http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html#comment-46 What's interesting is that YouTube uses flash to deliver it's content. Watching that video [i]could[/i] have been the thing that crashed you system just now. - VM Fri, 13 Nov 2009 11:51:25 +0100