Researcher breaks security sandbox in Adobe Flash

Bypassing security with mhtml


A security researcher has found a way to bypass a measure in Adobe's Flash Player that's designed to harden it against hack attacks.

Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed to prevent Flash files loaded locally from passing data to remote systems.

By design, the so-called SWF files are locked in perimeter that can't communicate with the outside world. That's intended to thwart malicious Flash content that would otherwise locate sensitive user data and send it to machines controlled by attackers.

Rios found that the measure can be circumvented using a file:// request to a network machine. After snatching sensitive data, an attacker can simply pass it along using the GET protocol to an address such as file://\\192.168.1.1. That works on local area networks. To pass information to remote servers on the internet, attackers can use various protocol handlers that haven't been blacklisted by Adobe developers.

One such protocol is the mhtml handler, which is available on Windows and can be used without any prompts.

“Using the mhtml protocol handler, it's easy to bypass the Flash sandbox,” Rios wrote.

Well, sort of.

An Adobe spokeswoman issued a statement that read:

An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively. In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself.

The company's security team has rated the bug “moderate.” ®

Similar topics


Other stories you might like

  • Boeing's Starliner capsule corroded due to high humidity levels, NASA explains, and the spaceship won't fly this year

    Meanwhile Elon's running orbital tourist trips and ISS crew missions

    Boeing’s CST-100 Starliner capsule, designed to carry astronauts to and from the International Space Station, will not fly until the first half of next year at the earliest, as the manufacturing giant continues to tackle an issue with the spacecraft’s valves.

    Things have not gone smoothly for Boeing. Its Starliner program has suffered numerous setbacks and delays. Just in August, a second unmanned test flight was scrapped after 13 of 24 valves in the spacecraft’s propulsion system jammed. In a briefing this week, Michelle Parker, chief engineer of space and launch at Boeing, shed more light on the errant components.

    Boeing believes the valves malfunctioned due to weather issues, we were told. Florida, home to NASA’s Kennedy Space Center where the Starliner is being assembled and tested, is known for hot, humid summers. Parker explained that the chemicals from the spacecraft’s oxidizer reacted with water condensation inside the valves to form nitric acid. The acidity corroded the valves, causing them to stick.

    Continue reading
  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading

Biting the hand that feeds IT © 1998–2021