Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

This is the way the world (wide web) ends...

This is the way the world (wide web) ends...

  • Comments 27

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Flash. For those that don’t speak hacker-speak, in this case, a “game-over” vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it’s a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit – this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).

This vulnerability doesn’t affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.

Every one of the “except not quite” issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome – there are about 4 of them, but the attacker managed to overcome all of them.

This is seriously scary stuff.  People who have flash installed should run, not walk over to Adobe to pick up the update.  Please note that the security update comes with the following warning:

"Due to the possibility that these security enhancements and changes may impact existing Flash content, customers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition."

Edit2: It appears that the Adobe update center I linked to hasn't yet been updated with the fix, I followed their update proceedure, and my Flash plugin still had the vulnerable version number. 

Edit: Added a link to the relevant Adobe security advisory, thanks JD.


  • Who browses with Flash enabled?  Isn't that just for advertisements, junky amateur videos, and crappy games?

  • I didn't realize Thomas Ptacek was still around. His paper on vulnerabilities in intrusion detection systems back in the 90's was fantastic.

  • Goodbye internet... looks like flash is going to /0 us all

  • Yeah, this is why the FlashBlock extension should be mandatory :)

    (Still, it's not going to stop those people who "just want to see the dancing bunnies, dammit!")

  • Uh flash is used for quite a bit more than that :|

  • "Flash vulnerability" story: I'm bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted. The Mark Dowd paper describes an issue which was addressed

  • JD, I've added your link (and the warning that comes with the security update) to the article.

  • Personally, I think the thing that is interesting here is not whether or not the vulnerability itself is already patched or not (nice going with the quick turnaround, though!). The thing that's interesting is the _amount of work_ that people are willing to put into discovering the vulnerability in the first place!

    Larry: I found that if you have both IE and Firefox with flash installed, you've got to download the update TWICE -- once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I'm concerned, Flash is Flash; whether it's running in IE or Firefox...

  • Larry, please, at least put "0wn" in quotes. Can't stand that word. Speaks of low men.

  • Nathan:  Seriously.  He should have at least gone with "pwnz0r".

  • "I found that if you have both IE and Firefox with flash installed, you've got to download the update TWICE -- once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I'm concerned, Flash is Flash; whether it's running in IE or Firefox..."

    I found out that as well, and it is because Firefox and IE uses different Flash plug-ins

  • Great, now I am just waiting for you to say "Everyone should use SilverLight instead of Flash".

  • Heh. Not the end of the internet, but maybe it would be the end of flash? Bandwidth wasting garbage collector that it is? I suppose that would be asking too much, wouldn't it?

    I yanked the flash plugin out of Firefox a long time ago. It just eats time and cycles in order to put garbage on the screen that I don't need or want. Anyone who makes the functionality of their website dependent upon Flash obviously doesn't want my attention.

  • I haven't had any version of flash installed on my pcs in over eight years so this is a non-issue for me.  Once a month, maybe, I come across a site that won't let me do a thing without flash and makes me sigh because I was marginally interested. Oops, their bad, because I just go elsewhere for whatever I was looking to purchase or view or I do without.

    FYI - If you're too lazy, too "artsy", or too dumb to make your site or your client's work sans flash then you/they lose my (considerable) business... and NO, nothing anyone offers is unique or valuable enough that it can't be done without or found elsewhere so the loss is yours rather than mine.

  • @Markus III:

    Take a look at oops, you can't, you don't have Flash installed :p

    Seriously, we don't need ANOTHER Flash clone because that means people will have to have both of them installed thus doubling the security risk.

    Not to mention they will have to chase two sets of updates.

    I wonder how someone so focused on security as Microsoft could have missed that?

Page 1 of 2 (27 items) 12