Cross Site Scripting vulnerabilities in SWF applications generated by various Shockwave Flash Authoring tools

IN08-001
Date: 04 January 2008

Purpose

The purpose of this Information Note is to draw attention to cross site scripting (XSS) vulnerabilities created by various Shockwave Flash (SWF) authoring tools. SWF files created by affected applications and currently hosted by various organizations remain vulnerable until removed or corrective action is taken.

Assessment

Background

On December 19, 2007, CCIRC released AV07-109 highlighting an Adobe patch release that addressed multiple vulnerabilities in Adobe Flash Player. One of the vulnerabilities covered included a cross site scripting exploit, and since our original reporting, additional information on the nature of this threat has been made public.

New reporting on these vulnerabilities indicates that a large number of websites may host vulnerable .SWF files, including both the private and public sectors. Affected vendors of authoring tools were advised and updated software has been developed for affected applications.

Analysis

A security researcher has discovered that cross site scripting vulnerabilities are inserted into the .SWF files created by several Flash authoring tools. The authoring tools generate ActionScript code, an Adobe owned scripting language, that is primarily used to control basic animations. ActionScript is now used in many Flash based internet applications associated with streaming media.

The following authoring tools are known to be affected:

• Adobe Dreamweaver
• Adobe Acrobat Connect
• InfoSoft FusionCharts
• Techsmith Camtasia

This list is not comprehensive and organizations should be aware that any application or tool that has the ability to generate, export or host Flash files may be affected by this vulnerability.

Detection

CCIRC recommends that website administrators search their website for the presence of SWF files and have the author(s) assess if they have been generated by an affected authoring tool. If content was developed outside of the organization, administrators responsible for website development are urged to contact their provider to determine if they may be affected. If readers are unsure if Flash is present on their website, the following detection methods may be utilized:

1. Host based searches:
   Organization should conduct Windows and Unix based searches of their web servers (if present) for files ending in .SWF.
2. Internet based searches
   Organizations may use common web search tools such as Google to locate .SWF files and affected versions. The following list outlines possible search criteria:
   • Searching for "site:ps-gc.ca" and "filetype:swf" provides a search results giving SWF related files and information on Public Safety. Organizations should modify the search criteria to match their own domain (ie: site:gov.on.ca and filetype:swf results in the discovery of Flash files in the Ontario domain) Here is an example searching for "site:ps-gc.ca" and "filetype:swf".
   • Organizations can refine searches by including .SWF file attributes common with known affected versions
     • Adobe Dreamweaver: include "FLVPlayer_Progressive.swf"
     • Adobe Connect/Macromedia Breeze: "powered by macromedia breeze"
     • Adobe Connect/Macromedia Breeze: "main.swf" (Note: Not Adobe specific)
   • Other specific file characteristics to include in search patterns should be available by contacting the associated vendor.

Impacts

Websites that contain vulnerable SWF applications are susceptible to Cross Site Scripting and may be used as an accessory to attack unsuspecting online users. Additional malicious activity can occur in the form of user account manipulation and compromise, browser exploitation, and session hijacking.

Suggested action

If vulnerable versions of the web authoring tools were used to generate Flash content, administrators are advised to:

• Immediately remove all affected .SWF versions
• Rebuild and redeploy affected .SWF versions as required
• Consult with your vendor for specific mitigation information related to their product

CCIRC is aware of the following list of affected vendors:

• Adobe – Security advisory
• CCIRC advisory AV07-109
• Techsmith – Upgrade to Camtasia Studio version 5
• Autodemo – Contact vendor: controlsupdate@autodemo.com
• Infosoft – Contact vendor

Note: SWFIntruder Tool – CCIRC is aware of an open source tool called SWFIntruder that is designed specifically to determine the security of Flash applications. Get additional information on the use of this tool here.

Other vendors may also be affected by this vulnerability. CCIRC therefore recommends that organizations raise awareness amongst flash developers regarding best programming practices in relation to XSS protection procedures.

Additional Information

• Google docs: XSS Vulnerabilities in Common Shockwave Flash Files
• Hacking Exposed Web 2.0
• Adobe.com: Creating more secure SWF web applications
• US-CERT: Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities
• www.theregister.co.uk

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca