Gary Barnett's Blog

Sigh.

A security expert has discovered an issue with  flash and security and has announced that people should disable flash in their browsers (although he’s quite happy to embed flv in his own blog):

• This “pseudo-crisis” is not actually about flash – it’s about how sites manage user-uploaded content
• This security expert may as well say “Don’t use the interweb, for there be dragons”
• It is theoretically possible to circumvent the flash origin policy by uploading a malicious flash app to a site
• The solution isn’t to disable Flash, it is to promote good web-app design
• If your site allows user generated content and file uploading you MUST design it with content-exploits in mind
• Adobe has tons of resources focussed on security
• As does PHP..

This “pseudo-crisis” is not actually about flash – it’s about how sites manage user-uploaded content
This “crisis” is not about a “Flash Exploit” at all – it’s about a user-uploaded-content exploit, that people have been aware of for ages.To blame Adobe for this is absurd. The key to this is the way in which web apps that allow users to upload content manage and validate uploaded files.

This security expert may as well say “Don’t use the interweb, for there be dragons”
This “risk” is on a par with the risk you take every day when you use the internet – phishing attacks are getting smarter all the time, and yes, we need to be vigilant, but really – if you’re that worried about this particular issue, then cancel your broad-band, because the internet is not for you.

It is theoretically possible to upload a malicious flash app to a site
The basis of this exploit is that flash has a security model that uses the notion of “same origin” to ensure that a flash app can only access content from the domain it originated from (there is a way to permit non-domiciled flash alls  to access content on your domain if you want to allow them to – google crossdomain.xml if you’re interested, but that requires you to actively allow it).

So at this point, we’re all good – the ONLY way a nasty flash developer can mess with my site’s data is to get her flash app onto my site. Now, how might I do that?

• Break into site owner’s offices and copy ftp password from post-it note stuck on admin’s monitor
• Use the site’s own “image upload” service to upload my nefarious swf

The key here is – it is not the flash that’s at fault here – it’s the fact hat the site allows you to spoof it into allowing you to upload dodgy content. This is the classic “injection” exploit that we’ve been worrying about for a long long time.

The solution isn’t to disable Flash, it is to promote good web-app design
The solution is not to disable flash – the solution is to use your common sense whether you’re a web-user or web-app developer. As a user bear in mind that the sandboxed nature of browser embedded flash severely limits what it can do on your local machine. In theory, a flash app could spoof you into providing sensitive information, and then send that data to another server – But the use cases are pretty limited.

Essentially – you need to use your common sense.

Now, as an app developer – you need to make a personal commitment to ensuring that users of your site aren’t exposed to this type of exploit

If your site allows user generated content and file uploading you MUST design it with content-exploits in mind
If  you have a file upload form on any part of your site, then you have a huge responsibility to ensure that you manage those uploads with extreme care. You should :

• Validate all uploaded content before you store it – checking for filetype
• When you serve uploaded content, you need to ensure that you create the right mime-headers for that content don’t make the browser guess

This is crucial because if one of your users falls prey to this exploit it is YOUR fault and NOT Adobe’s.

Adobe has tons of resources focussed on security
There is no excuse – Adobe provides a raft of information about security – You can start by going here CLICK ME to go to Adobe’s Security Resources for flash

As does PHP
Just go this google search Click here to search google

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.