May 29 2008

As if you needed more reasons to use NoScript: Flash

Published by at 6:50 am under Malware

I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue.

The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits.

Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “As if you needed more reasons to use NoScript: Flash”

  1. Mad Irishon 29 May 2008 at 8:01 am

    The only problem with using the excellent NoScript plugin is that it allows users to selectively accept Flash. In the vector you mention malware authors are using SQL injection exploits to host their malicious Flash on reputable sites. Depending on how the attackers craft their injection this could mean that the actual SWF is hosted on a reputable site that a user might not have any problem accepting a Flash movie from.

    I think part of the problem with Flash vulnerabilities is the monoculture around SWF files. The complete lack of alternatives combined with the ubiquity of Flash makes for a dangerous breeding ground of potential malware.

    Add to the mess the horrendous response time of Adobe (the last PDF exploit took them almost a month to patch) and you’ve got a computer security perfect storm.

    For now, I’m just recommending that users uninstall Flash. It’s the nuke-from-orbit solution, but it is the only way to be sure :)

  2. Martinon 29 May 2008 at 9:31 am

    You’d go for the ‘nuke from orbit’ solution rather than using Flashblock? I realize this is the only real ‘safe’ solution, but you might have a revolt on your hands from the end users. There are so many sites out there that rely on Flash now that it’s nearly impossible to surf without Flash in some form or another.

    I also have some problems with the idea that the monoculture of Flash is going to create a huge mess for browsers. The same concern was raised a couple of years ago concerning the OS monoculture, but so far there hasn’t been any world shattering compromises. This is an important vulnerability, but I don’t think it has the potential to bring the house down.

%d bloggers like this: