The number and severity of vulnerabilities in Macromedia’s popular Flash animation software have been increasing throughout this year. Since Flash isinstalled on virtually every computerwith an Internet browser (97 percent, according to Macromedia), any general threat to Flash can be a major threat and must be taken seriously.
The SWF.LFM-926 virus was first seen in January 2002. This threat didn’t affect those browsing Web sites. In fact, it was described by some antivirus experts, Sophos, in particular, as more of a proof-of-concept virus than a serious attack. Macromedia responded quickly to the discovery by Sophos of the first .swf (Flash file) virus, but asSophos pointed outback in January, Macromedia's fix fell short of a complete elimination of the threat.
The drumbeat continued in February with another problem being found in the Flash authorware. This threat, discovered by a Macromedia Flash developer calling himself Vengy, made use of an undocumented feature in the Flash 5 authoring tool. The ActionScript fscommand:save command can be used to create a batch file in the stand-alone player, planting a Trojan that will execute at the next reboot. The exploit is described on Vengy’s GeoCities site.
More recently, a threat known as the Flash ActiveX Buffer Overflow flaw, first reported by eEye Digital Security, opens up user PCs to an attack just by browsing Web sites with Flash code. Macromedia responded to this threat so fast that the fix was posted by the time the discoverer reported it.
Let's take a closer look at these threats and how to secure against them.
Risk levels: low to high
The threat from SWF.LFM-926, which exploits the fscommand:exec ActionScript command in the Flash 5 authoring tool, is very low risk since it affects only systems that are testing Flash code using the vendor’s stand-alone player—something most people don’t even know exists. This does not threaten general users who simply have Flash support for their standard Internet browser.
The February threat, based on the undocumented fscommand:save command, also relates only to developers and therefore is unlikely to be exploited to any serious extent, especially since developers are likely to keep their software updated.
The ActiveX Buffer Overflow vulnerability is a high-risk threat because it allows remote code execution on PCs. A flaw in Flash OCX can allow a malicious attacker to easily rewrite the data stored in the Effective Instruction Pointer (EIP). This is the location in memory where the address of the next CPU command is located. The exploit allows the attacker to cause the system to execute any malicious code that accompanies the buffer overflow attack.
More importantly, this vulnerability affects the average user’s browser and therefore has the possibility for widespread exploitation.
Applicability: various but widespread
The ActiveX vulnerability is found in Internet Explorer only, and the other threats discovered so far only apply to developers. But, since Flash is so ubiquitous, any vulnerability in Flash can quickly become a major threat. The problem is especially severe because many people have never even heard of Flash and don’t realise it is installed in their browser. Therefore, they don’t realise they need to update it regularly. Administrators and IT support professionals must realise the threat that Flash poses to end users' desktops and add it to the list of software that should be kept up to date.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
16%
7%
