An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part of the modern browsing experience—becoming so ubiquitous that most users don’t even notice it.
Thomas Ptacek of Matasano Security summed up just how serious Flash vulnerabilities are: “Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker.” (The full blog post is here: This New Vulnerability: Dowd’s Inhuman Flash Exploit.) The large user base of Flash presents attackers with a huge target audience and will certainly be too much for them to resist.
Ptacek made the comment above when describing an article that Mark Dowd, research engineer with IBM ISS, published in April 2008 (Application-Specific Attacks: Leveraging the ActionScript Virtual Machine). This article detailed how he created a reliable exploit that took advantage of a very subtle memory corruption issue in Adobe Flash Player version 9.0.115.0. He gives a detailed account of how he overcame the many obstacles put in place by the Flash developers. This was quite an achievement. Whether it was intentional or not, this paper gave the reader a certain sense of security since it proved just how difficult it was to reliably exploit this issue and once the patch was available we could all put that nasty incident behind us. As expected, there were many people who were very happy to pick up Dowd’s research and use it for their own purposes. Since the release of Dowd’s paper we have seen widespread attempts to exploit Flash in the wild, but invariably they would all eventually use the exploit Dowd discovered. That is, until now.
Thomas Ptacek of Matasano Security summed up just how serious Flash vulnerabilities are: “Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker.” (The full blog post is here: This New Vulnerability: Dowd’s Inhuman Flash Exploit.) The large user base of Flash presents attackers with a huge target audience and will certainly be too much for them to resist.
Ptacek made the comment above when describing an article that Mark Dowd, research engineer with IBM ISS, published in April 2008 (Application-Specific Attacks: Leveraging the ActionScript Virtual Machine). This article detailed how he created a reliable exploit that took advantage of a very subtle memory corruption issue in Adobe Flash Player version 9.0.115.0. He gives a detailed account of how he overcame the many obstacles put in place by the Flash developers. This was quite an achievement. Whether it was intentional or not, this paper gave the reader a certain sense of security since it proved just how difficult it was to reliably exploit this issue and once the patch was available we could all put that nasty incident behind us. As expected, there were many people who were very happy to pick up Dowd’s research and use it for their own purposes. Since the release of Dowd’s paper we have seen widespread attempts to exploit Flash in the wild, but invariably they would all eventually use the exploit Dowd discovered. That is, until now.
No comments:
Post a Comment