'Dangerous' Flash exploit can infect by stealth
A Flash flaw discovered this month could change the face of Web security by allowing criminals to infect users of any browser or operating system with malware — without making their browser or application crash.
An IBM security engineer has published research showing that exploits using software such as Adobe's Flash are set to become far more reliable and dangerous than is currently thought possible.
IBM X-Force research engineer, Mark Dowd, discovered a memory corruption flaw in Adobe's Flash software which allowed an attacker to take control of a computer system.
Security researchers are interested in Dowd's discovery because Flash exploits have not typically been reliable or potent, which has resulted in researchers underestimating the potential impact of Flash exploits.
Operating system "run time" defences have reduced the reliability of many similar exploits, according to Dowd, so even where one is discovered, the chances of it working have been slim.
"A significant amount of time you can exploit a bug, but a lot of memory corruption bugs are not nearly as reliable as they used to be because of operating system hardening," Dowd told ZDNet.com.au.
The result is that security researchers have discounted this method of exploitation, said Dowd.
"The reason we put out the research is to draw attention to how serious these types of vulnerabilities can be. By using more targeted application-specific attacks, these vulnerabilities are, in fact, exploitable in a number of cases quite reliably," said Dowd.
The flaw, which was patched in Adobe's latest Flash security update, relates to a memory corruption vulnerability that occurs when Flash interprets a malicious Shockwave Flash (SWF) file — commonly used in online advertising and video streaming — and takes advantage of functionality provided by the ActionScript Virtual Machine, an integral part of Adobe Flash Player, according to Dowd's research.
Dowd was also able to craft the exploit so that an attack does not leave the usual tell-tale signs.
"I was able to make a malicious SWF file that could exploit both Firefox and Internet Explorer with the same file without crashing either browser," he said. "Basically you could exploit it successfully and the application could continue to function as if nothing happened and you wouldn't know you have just been hacked."
Sergei Shevchenko senior malware analyst at security firm, PC Tools told ZDNet.com.au that the exploit discovered by Dowd changes the scope of threats from Flash: "Previous Flash exploits were mostly designed to cause browser crashes, hang-ups, or for the worst-case scenario, an ability to parse the contents of user files. This exploit allows remote arbitrary code execution, which makes it very attractive for the malware authors."
Now that Dowd has published details of the exploit, Shevchenko believes it will only be a matter of time before a real threat emerges: "As soon as the first proof-of-concept appears, Flash-based exploits will begin appearing in the wild in large numbers."
Dowd said Flash is a very attractive attack vector for cyber criminals.
"Flash is more influential because less interaction is needed to use Flash, it's embedded in many Web pages, and it runs on Linux, Mac OS X, and a variety of embedded platforms. So it's not just Windows, but a series of operating systems," said IBM's Dowd.