Thursday, January 05, 2006

Macromedia Responded

Sorry for the delay in updating. But Adrian from Macromedia's security response team very graciously responded to my E-mail.

I am glad that they are considering a solution.

Adrian wrote:
> Thanks for writing to us about this issue -- it's an interesting one.
>
> As far as I know, we haven't had any security issues related to the
> actual emission of sound through the speakers, so this will be a new
> area to consider. I think there is definitely an argument to be made
> that the sounds coming from different domains should not all be
> controlled by the same API, but it will take some investigation to see
> whether that is the best solution. With a low impact issue like this
> one of our priorities is to investigate any possibility of breaking
> existing content before making any changes.
>
> Thanks,
>
> Adrian

Wednesday, December 21, 2005

Macromedia Contacted

I contacted Macromedia today about the minor Cross Site Denial of Service in Flash Player today.

I hope that they at least respond to my musings about the vulnerability.

We were tracking down a problem at work when we first spotted this vulnerability. We have a template where a authorized distributor for the company can call in to leave a message on a personalized site. They had a long message (59 seconds). The template they chose also had another Flash animation with audio in it. Because the other animation was composed of several movies the developer decided to call stopAllSound() to end the sound loop. When the audio of the shorter animation stopped the long audio in the other movie stopped also.

I then decided to see if the problem persisted between websites and in different browser windows.

If this ActionScript function call can affect other movies in other browser windows from other websites, what other ActionScript function calls can affect other movies in other browser windows from other websites? Unfortunately I can't test this because I do not have a licensed copy of flash to do so.

I just hope that no financial institution has decided to go with an all Flash website for banking transactions.

Friday, December 16, 2005

Cross-Site Scripting DOS Vulnerability in Macromedia Flash

During the normal development of web pages I was listening to one of my new favorite places http://www.pandora.com . I loaded the main web page from Tahitian Noni International and therefore had two flash audio files going on at the same time. One was the music from Pandora, the other the drum loop from the TNI website introduction flash. When the drum loop on the TNI website finished (it only loops for 20 seconds or so), my Pandora music stream also stopped.

I thought this was odd. I talked to the developer the programmed the flash file for TNI and he said that he used the ActionScript function stopAllSound() at the end of his drum loop clip. This stopped all the sound not only in the flash in that page, but also in another page in another browser window loaded from a completely different site.

This constitutes a Cross-Site Scripting Denial Of Service vulnerability. So If you want to stop any annoying flash audio that automatically plays, just crate a flash movie that does nothing but call stopAllSound() wait for a second and loops then load it into another browser window.

This was tested with the Flash 8,0,22,0 plug-in on Windows XP (fully patched to the 13 Dec. 2005 patch) in Firefox 1.5 and Internet Explorer 6.0. It also occurred in the Flash 7,0,25,0 plug-in on Fedora Core 4 in Firefox 1.0.7.

It looks like this vulnerability has been around for a long time. I couldn't find anything in bugtraq about it. It is not as big of a vulnerability as remote code execution, script injection, or complete DOS.