JD on EP

From blogspot:
Does Adobe Flash allow you to set Restricted, Internet and Trusted Zone behaviour? NO!!

Does Adobe Flash throw up a prompt to warn that "an advertisement wants to open a web page - allow/deny"? NO!!

Does Adobe Flash give the end user the ability to turn off redirects? NO!!

Funny, I always got the infobar from IE & FF alerting me about a redirecting or a popup...
For Opera, okay, you can exploit easily security problem.

I agree with you John, the decision is in the hand of the site owner to propose 'clean' content, not the web users that must over protect themselves.

>but headlines like "Flash Serving Malware!" concern me, and we need to get to the real root of the issue.

I don't know about you but it seems to me that the headline is accurate based on your summary of the situation. Especially when the only mitigation you propose is that Web site owners should vet every single ad coming from an ad service provider that is shown on their site. Yeah...right.

[jd sez: Howdy Dare! (For those who don't know, Dare works at a company which strives to serve ads. ;-) Did you note how *any* piece of third-party JavaScript can also change the page? The issue is less SWF than third-party interactivity.]

Hi JD,

[jd sez: This is a long comment, switching from topic to topic, so I'll inline short replies in bold.]

I am not advocating a security zones implementation such as that used by IE as the best, or only, option. It is an idea for how to address the problem of malicious banner advertisements, as much as there being a redirect prompt is an idea, and giving the end user the ability to disable redirects completely is an idea.

I will say this though, I can't stress strongly enough how much I disagree with your contention that responsibility lies with the web site owners who accept advertising and the advertising networks that host the creatives. [We need to understand the instructions we execute.] If that were the stance taken by those responsible for XPSP2 and IE7, then we would still be in the bad old days of out-of-control drive-by downloads because we would not have the changes in functionality that place a basic layer of protection between the bad behaviour and the victim. The infobar would not exist and IE's Protected Mode would not exist, nor would many other security based improvements designed to help users avoid malicious web content implemented by so many internet facing programmes. [Most of the past ten years' protections have been fixes for original architectural errors, such as ActiveX. The goal of accepting bad instructions remains beyond this horizon.]

I would ask you to conduct some research into what is happening out in the real world, especially the lengths that the criminals are going to to hide their malicious code from hosting web sites, from hosting advertising networks, from antivirus and antispyware companies and from security researchers, and then reconsider your stance from that perspective. [The assumption that I do not consider such issues, and then the further assumption that such consideration would immediately make me think that people *don't* need to evaluate the instructions they execute, makes it difficult for me to usefully reply.]

The malicious Flash advertisements look completely innocent to all but the most highly trained eyes - the myriad screenshots on my blog demonstrate that very well. To be able to detect malicious content we not only need to understand Flash (how to decompress, decompile, analyse and whatnot) we also need to know how to decrypt encrypted code, and then we have to be able to grok what the code is actually doing. [I'm not sure of a concise and functional description of what the problem is... best guess is still a getURL in a SWF. I don't care about the appearance of an ad.]

And we need to have a historical knowledge of who has been implicated in supplying the malicious content in the first place so that we can look extra closely at content from such people. [?] You are setting a mindblogging [!] task for advertising networks and web sites by asking them to closely examine each and every advertising creative out there on the Web. [Inspection is one route; qualification of advertisers is another. We can't ignore the chain of responsibility on the supply end.] Here's a question for you - how many individual advertising creatives do you think there are in the world? [Lots? ;-) ] Now extrapolate that into manpower requirements, cost requirements, infrastructure requirements - all because Adobe doesn't give the end user an Off button. ["off for what" is unstated.]

I suppose that web sites that want to use advertising and advertising networks could set up the complicated infrastructure required to bypass the IP, City, State and Country exclusions that control who will experience the malicious behaviour to reduce the need to closely examine each creative, but that in and of itself has its own problems. [Sorry, I'm not sure of the meaning here, or its relation to the whole.]

Don't get me wrong, some of what I say is needed is happening **but** it is expensive and is certainly not foolproof. I do not know of a single service that is able to guarantee that all of its content is clean, all of the time. [Agreed. "Don't eat candy from strangers" is a general rule, with plenty of exceptions.]

Adobe Flash is Ground Zero [Digression: "Ground Zero" was the codename for Adobe LiveMotion.], and it is up to Adobe to give us the ability to give the end user the ability to block the initial redirect completely or stop the redirect from occurring without user permission. [Are you asking for a control panel to block all URL requests? If so, this implies additional clarifications (notifications, whitelists, exceptions, more). I'm not sure what you'd like me to lobby my partners for yet.] It is up to Adobe to empower the end user and start working out how they can stop Flash being used as a conduit to infection. [I tend to agree with this. But I'm still not sure how well the desired remedy relates to the described problem.] If Adobe doesn't do this, then I predict that it is going to become standard advice given by those on the front line who work with the victim users to uninstall Flash, and advise web sites to refuse to accept Flash creatives, and Flash blockers will become commonplace. [I use Flashblock on my Firefox browsers, because I cannot trust site owners to always have the most conservative judgment. User control is a good thing.]

Oh, and in the ultimate of irony, it has been reported that banner advertisements have been used to redirect victims to malicious sites that then use the Adobe Reader exploit just patched to install malware on victims' machines. [I'd like to wait to get a formal report from Adobe Security on what the issue actually is... some say it's JavaScript hidden in a SWF-invoking script, and the Reader issue is a plugin passing an URL to a browser, rather than mal-execution of its own. Let's get the full story.]

cite: http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

[jd sez: I may be objecting to much of the above, Sandi, but I respect and appreciate the work you do... we need to anticipate abuse and choke it off technically, and social exploitation of technical systems will continually adapt and seek new mechanisms. We need to keep working, and thanks for drawing attention to the field.]

[jd sez: I think the following summarizes to "I want a Player control to stop sending all URL requests to the browser." The implications unaddressed include notifications (what to do when a blocked request is made), whitelists/blacklists ("always allow this site" eg), the prefs UI (Player options already baffle some), and -- critically! -- what to do when third-party JavaScript makes the very same type of requests.]

Hi JD,

re "[I'm not sure of a concise and functional description of what the problem is... best guess is still a getURL in a SWF. I don't care about the appearance of an ad.]"

The email address I have used for my comments is real. You're welcome to contact me and I'll share further information with you. Bear in mind that nefarious types read my blog as well - discretion is often the better part of valour.

re: "[Inspection is one route; qualification of advertisers is another. We can't ignore the chain of responsibility on the supply end.]"

A simple statement, but in the real world extremely complicated. Perhaps I should grab some information for you that explains better than I can just how intricate the background workings of "advertising networks" and the sale and distribution of advertising content actually is. The fact that the industry and how everything works is so very complicated is a primary reason why we need to address the core of the problem instead of playing a never-ending game of whack-a-mole.

re "["off for what" is unstated.]".

The "off button" is a wished for ability to block the initial redirect completely or stop the redirect from occurring without user permission, from within Flash itself.

re: "I suppose that web sites that want to use advertising and advertising networks could set up the complicated infrastructure required to bypass the IP, City, State and Country exclusions that control who will experience the malicious behaviour to reduce the need to closely examine each creative, but that in and of itself has its own problems. [Sorry, I'm not sure of the meaning here, or its relation to the whole.]"

This behaviour (IP, City, State and Country exclusions that control who will experience the malicious behaviour) is a core reason why placing responsibility on web site owners and advertising networks and their affiliates to vet all advertisements that they receive will not work without a substantial (and expensive) investment in highly qualified staff and testing infrastructure. I think it will be best if I write another blog post discussing this further.

re: [Are you asking for a control panel to block all URL requests? If so, this implies additional clarifications (notifications, whitelists, exceptions, more). I'm not sure what you'd like me to lobby my partners for yet.]

Yes, it will require whitelisting/exceptions etc.

Again, I am happy to take this to email if you wish. I'll also blog again and write a more in depth consideration of what could/should be done and the various challenges that we face if we try to implement various options.

re: [I use Flashblock on my Firefox browsers, because I cannot trust site owners to always have the most conservative judgment. User control is a good thing.]

Is Flashblock selective? For example, genesreunited is one site that is currently struggling with malicious advertisements. GR apparently uses Flash for various things such as the giving its users the ability to generate family trees. I suspect that GR members cannot use Flashblock because it will break the family tree functionality.

An alternative protection for GR users, of course, is to block advertisements completely by using host files and adblockers, but then we face the dilemma that "every worker deserves to be paid for his labours". I am not a supporter of wholesale blocking of advertisements (and yes, I will have to discuss this facet in more detail on my blog as well).

Ok, this comment is long enough. I hope I have given you some further insight into why Adobe needs to act.

In the end, Adobe Flash is at the centre of this maelstrom. Although there are other ways that we can (and do) fight the problem of malicious banner advertisements, reality is that it is Adobe Flash that is the primary conduit for the malicious activity, and Adobe can do more than anybody to help us address the problems.

Remember, the redirects that are being experienced are immediate and involuntary for the end user. We need a way to add a layer of protection to Flash - some way for the end user to say "I do not want my web browser to be redirected by Flash content".

Banner networks often treat Flash files like any other picture (which is stupid, but these people or no technicians, they dont know better). This opens possibilities for attacks (the attacks discussed at Sandis blog are still somewhat harmless since they are redirectors - there is a much bigger damage potential).

Flash lets malicious users obfuscate ActionScript data in various ways. In case of these banner ad the AS code points to undocumented tags inside the file which is seem to meant to be used for other kind data (as far as I understood SWF by now). This shouldn't be possible and is probably some sort of bug in my point of view. (But it's also true that there are dozens of others way for obfuscation).

I agree with with Sandi that the user needs to get more control over the things Flash is able to do. Adobe already headed towards the right direction (i.e. by disallowing socket connections per configuration), but it is not enough and need more improvements.

Regarding external tools for protection: This sounds like a bad joke to me.

@JohnDowdell: I totally agree with Sandi, that a warning box about automatic and unwanted browser hijacking from ActionScript code within Adobe Flash files, would be a great idea! Just think back some years ago and remember of Office Macro viruses. This was a serious security prolem for many years. But after Microsoft did that "Your document contains a Macro, do you want to run it?", the problem went away at once.

[jd sez: I can pass along that request, or you can submit it yourself, but you're still not describing the practicalities mentioned above, *PARTICULARLY* how any third-party JavaScript can redirect just as easily.]

@JohnDowdell: Yes, an IFRAME or a JavaScript could also redirect just as easily like ActionScript. But Firefox for example allows me to restricts some JavaScript functions, which are abused as an annoyance. Think about disabling the right mouse button for the context menu, rezising the browser window or overwrite the status bar text. I could change this JavaScript behaviour with my browser (as I could also disallow the storing of cookies and so on).

But I have very limited settings to control the ActionScript or Flash bahaviour. Okay, I disallow web sites to store LSO or so called flash cookies. But I also wanted to disallow these redirections or mabye even more paranoid to disable ActionScript code for Adobe Flash at all. I could do this in my Adobe Reader and disable "Acrobat JavaScript" with just one checkbox.

Just give the people more advanced security settings to fine tune their Flash expierience.