Jump to content

New Firefox Plug-In Will Defeat Flash Attacks


Lite

Recommended Posts

  • Administrator

For years now, Adobe Flash files have been a very useful attack vector for hackers and a serious security problem for end users and IT departments. Now, a German researcher is planning to unveil a new browser plug-in designed to prevent many common types of Flash attacks.

The plug-in, called Blitzableiter, doesn't implement a signature-based defense against Flash attacks, but instead looks deeply at the code contained within the Flash files and looks to sanitize the code before it is executed on the user's machine. The tool essentially parses the entire SWF file that's encountered by the browser, drops the original file and loads the parsed code into a new, safe SWF file.

Blitzableiter is the brainchild of Felix Lindner, a security researcher at Recurity Labs, and the tool will be released at the upcoming Black Hat briefings in Las Vegas later this month. Blitzableiter will be released as a plug-in for Firefox.

The new approach to defending against Flash-based attacks is predicated upon the structure of Flash files themselves and the Flash player. The Flash player contains two virtual machines and Blitzableiter goes through and verifies that all of the data in a given file not only conforms to the SWF file specification, but also that the virtual machine code does exactly what it says it will do and nothing else.

Lindner, also known as FX, presented his approach to Flash security at a German security conference late last year. In the slides for the conference he states that the approach he took with Blitzableiter is designed to address fundamental weaknesses in the way that other defenses against Flash attacks work currently.

"Static analysis will provably not be able to determine what the code is actually doing," he said in the presentation.

Adobe has been under the microscope for security weaknesses for some time now, and is in the middle of a software security initiative and an effort to change the way it gets patches and other updates to users. Flash often is a target of Web-based exploits as it runs on hundreds of millions of PCs around the world. It also is a key component of most Web advertising content, which can be used in attacks that redirect users to multiple sites and serve malware and other Web-based exploits.

During testing of the tool, which will be open source, Lindner threw 20 pieces of live malware at Blitzableiter, which rejected all of them for various reasons, including file format violations and code violations. But he concedes that the new tool won't catch every kind of attack, including heap-spraying attacks and others.

Rob Westervelt at SearchSecurity.com spoke with Lindner about Blitzableiter. "There was a lot of work involved, but we're confident that it could help remove most attacks targeting Flash," Lindner told Westervelt. "It's one of the newest defenses that we've got."

view.gif View: Original Article

Link to comment
Share on other sites


  • Replies 7
  • Views 1.5k
  • Created
  • Last Reply
Ambrocious

Nice, but I hope NoScript implements a similar technique ^_^

There's more than one way to skin a cat...as the old saying goes. I'm sure that NoScript will adopt something much like it.

Link to comment
Share on other sites


  • Administrator

Nice, but I hope NoScript implements a similar technique ^_^

Doesn't make sense to me. This analyses and edits the entire .swf file (if needed). No script stops the loading of some parts of a website.

Link to comment
Share on other sites


NoScript & adBlock are awesome.

Pretty much :)

Link to comment
Share on other sites


You already can block them. It's called Flashblock. Though I use it mainly to stop youtube from auto playing/downloading videos.

Link to comment
Share on other sites


You already can block them. It's called Flashblock. Though I use it mainly to stop youtube from auto playing/downloading videos.

This is different, I believe it was made to scan deep and clean malicious flash, not just stop it for convenience purposes. ;)

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...