Adobe is issuing an update to Flash Player 9 that it hopes will prevent Flash-based Web applications being used to launch attacks against consumers — but the update may also stop Flash apps working if developers don't heed Adobe's recommendations.
The April update addresses two security flaws in Adobe Flash 9, relating to cross-site scripting (XSS) and DNS rebinding attacks — common techniques used to attack computer systems by exploiting flaws in Web applications.
"Customers are advised to review the upcoming Flash Player updates to determine if their content will be impacted," Adobe said on its Developer Center site.
The update focuses on features in Adobe used by Web developers to communicate with third party servers. Those likely to be affected will be using sockets or XMLSockets; or addRequestHeader or URLRequest.requestHeaders in a network API to access content from sites outside their own domain.
If a site provides access to content on remote domains as a Web service provider, or if it has Flash content in pre-Flash 8 format that communicates with the hosting HTML, then the site could be affected. The update could also impact a site if it uses javascript to communicate outside of a Flash SWF. In all cases, Adobe advises following its recommendations to avoid problems.
But not all developers need to panic — just those who have not been as security conscious in the past, Jeff Kruize, senior web developer at application development company Internet Vision Technologies (IVT), told ZDNet.com.au.
"The new updates should only affect developers who have been a bit liberal with existing security measures, and taken advantage of the often softer default settings," Kruize said — such as the setting which allows script access from any site rather than from those from within the same domain.
While unprepared developers may face extra work, security experts welcome the changes, which help close off threats using Flash Player flaws.
"There have been significant ongoing concerns over the possibility of XSS attacks and DNS rebinding based attacks being delivered through the browser via Javascript, Adobe Flash Player applets [also called SWFs] or Java applets," Nishad Herath, McAfee senior research scientist told ZDNet.com.au.
Want to know more?
For all the latest news, analysis and opinion on security, click here
Addressing these concerns, Adobe is making its once-optional 'socket policy file' — which defines what ports Flash Player can connect to via socket or XMLSocket connections — compulsory. The policy change aims to prevent unauthorised socket connections occurring while data is being transferred between sites.
Web-applications such as Flash Player 9 depend on this capability to improve the application's functionality, according to IVT managing director Jonathon Oxer.
"Flash is now being used as the underlying technology for a lot of Web based applications — not just [to build] Web sites. A lot of complex processing and interaction is being moved into the browser using Flash and the framework from Adobe to provide an experience that is more like using local software than interacting with a Web page," he told ZDNet.com.au.
"Those sorts of apps typically rely on asynchronous communication back to the server which involves a socket connection, so they might be vulnerable to that particular problem."
But while developers have been able to build better Web applications, McAfee's Herath said Flash has been exploited: "In an SWF, an attacker could still use Socket or XMLSocket classes to create direct TCP connections, which is a serious issue in conjunction with DNS rebinding. Also, other network APIs could be leveraged for XSS by adding custom HTTP headers."
Adobe says that the April 2008 Flash Player update will help defend against malicious HTTP headers sent from other domains by performing a cross-domain policy file check before allowing SWFs to send headers to another domain.
Input validation — a key cause for the recent outbreak hacked Web sites — will also be addressed in the Adobe update.
