Close X
Log In
If you are not a member,
register now
Email
Password
Forgot Your Password?
New User? Register now
to gain member-only access to all of IT World Canada's premium content & community portals.
Log in for Full Access |
Log In
|
Subscribe Now!
Follow
IT World Canada
Knowledge Centres
Community
Publications
Events
Services
Media
Communications Infrastructure
•
Carriers and Cellular
•
Networking
•
Voice, Data, and IP
Security
•
Alerts, Patches and Fixes
•
Disaster Recovery
•
Hacking and Viruses
Enterprise Business Applications
•
Business Intelligence
•
Enterprise Resource Planning
•
Open Source and Linux
Enterprise Infrastructure
•
Data Centre
•
Servers and Mainframes
•
Virtualization
Government
•
Case Studies and Best Practices
•
Collaboration
•
Policy
Leadership
•
Budgeting / IT Alignment
•
Industry News
•
Issues for CIOs
Information Architecture
•
Data Warehousing
•
Databases
•
Messaging and Collaboration
Integrating IT
•
Development Environments
•
Middleware - Utilities
•
Project Management
Green IT
•
E-Waste and Recycling
•
Green thinking
IT Workplace
•
Careers and the Job Market
•
Consulting and Contracting
•
Human Resources Issues
•
Women in IT
Departmental and End User Computing
•
Future Technology
•
Help Desk and End-User Support
•
Mobile Applications
Featured Blogs
•
All things Android
•
Enterprise Insights
•
Network World
•
Industry Watch
•
CDN Varbose
Computing Canada Blogs
•
World Wide Webb
•
Blogosphere
•
Techbuzz
Wikis
•
IT job Descriptions
Most Recent
All IT World Blogs
Click Here to Subscribe Now!
Job and Career Resources
•
Canadian IT Jobs
•
IT Sales Jobs
•
Salary Calculator
Knowledge Services
•
CDN ProFIT - Turnkey Marketing solutions
•
Visability
Subscribe Now- Register
Content
•
Slide Shows
•
Videos
•
White Papers
•
Webinars
Social
Facebook:
facebook.com/ITWorldCa
Twitter:
@itworldca
Linkedin:
IT World Canada Live
YouTube:
ITWorldCanada
More
brands and Accounts
Digital Media
•
Media Guide
•
Digital Publications Media Guide
•
Latest Digital Editions
Hot Topics:
smart phones
•
PIPEDA
•
Shaw Communications
•
HP
•
mobile technology
•
privacy
•
Edmonton
•
Canadian government
•
innovation
•
Search
SHARE
Home
>>
Security
Security researcher finds way around Flash sandbox
By:
Jeremy Kirk
On:
06 Jan 2011
For:
IDG News Service (London Bureau)
Tweet
Adobe has tightened up Flash but a researcher has found a way to send data to a remote server
A
security
researcher has found a gap in the way Adobe Systems has fortified its Flash Player for better security, which could result in data being stolen and sent to a remote server.
Billy Rios, a researcher who is a security engineer for Microsoft, published on his
personal blog
a way to get around Flash Player's local-within-filesystem sandbox.
The sandbox allows a Shockwave Flash (SWF) file to read local files but not send data over the network. It also prevents SWF files from making JavaScript calls or HTTP or HTTPS requests, Rios wrote.
A local file is described as one that can be referenced using "file: protocol" or a Universal Naming Convention path, Rios wrote.
But Rios found that the sandbox restrictions are actually not quite so strict. He found he could bypass the sandbox but reformatting the request, such as "
file://request
to a remote server." Adobe, however, limits those requests to local IP (Internet protocol) addresses and hostnames, Rios wrote.
Adobe also blacklists some protocol handlers but not all, a method that Rios considers dangerous.
"If we can find a
protocol handler
that hasn't been blacklisted by Adobe and allows for network communication, we win," Rios wrote.
Flash does not blacklist the "mhtml" protocol handler, which is part of Microsoft's Outlook Express application and installed on Windows systems. So a SWF file could export data by using a command, which Rios detailed in his blog.
Rios said the method is particularly effective since if the request fails, the data will still be transmitted to the attacker's server without the victim knowing.
Rios wrote that there are two lessons to be learned: First, running
untrusted SWF code
is dangerous and that protocol handler blacklists "are bad."
An Adobe spokeswoman said the company has reviewed Rios' blog post and logged a bug, classifying it as a "moderate" risk according to its Adobe Severity Rating System.
"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," she wrote in an e-mail. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."
Adobe and Google worked together on the security improvements in Flash. Last month, the
two companies released to developers
the first version of Flash that uses a sandbox. It works on Google's Chrome browser on the Windows XP, Vista and 7 operating systems.
The release is a continuation of a broad program by Adobe to improve the security of its products, which includes the introduction of a regular patching cycle timed with Microsoft's Patch Tuesday releases.
Adobe also uses a sandbox in its Reader X product, which was released in November. Reader's sandbox seals the application off from attacks designed to tamper with, for example, a computer's file system or registry. The sandbox interacts with the file system, but those communications go through a broker, which limits particular actions.
Sign up for our
Newsletters
Tags:
Adobe
Tweet
Close X
Your Name:
Your E-mail:
Friend's Name:
Friend's E-mail:
Close X
|
Views:
2316 |
Rating:
(0 votes)
Rate this article on a scale of
1 to 5 stars,5 being the best.
Close X
Page
1
Quick Access
Video Conferencing
Cloud Computing Resource Centre
CIO Canada's Brainstorm Centre
CIO Canada Debate
IdeaCity Conference June 18-20 - Toronto
Jeremy Kirk
is a contributor to the International Data Group (IDG) News Service, which publishes global technology stories from bureaus around the world to more than 300 publications in more than 60 countries.
Recent Canadian IT Jobs
more:
IT Jobs
,
Post A Job
Please enable JavaScript to view the
comments powered by Disqus.
blog comments powered by
Disqus
Related Videos
Building an Enterprise IT Security Training Program
Building an Enterprise IT Security Training Program
-
Over 50% of security breaches are a result of end-user error, oversight, and ignorance. IT security training is an effective method of reducing end-user related security breaches.
Cloud Computing: Extending the Network (3 of 3)
Cloud Computing: Extending the Network (3 of 3)
-
The end goals of private cloud computing are to; Enable efficient delivery of IT resources and services; Give the enterprise complete control over data; Enable choice in technologies and service providers
Cloud Computing: Getting to One Network (1 of 3)
Cloud Computing: Getting to One Network (1 of 3)
-
In this first video of the series, the team will take you through how to consolidate the different types of traffic onto a single, general-purpose, high-performance, highly available network that greatly simplifies the network infrastructure and redu
Cloud Computing: The Unified Compute Model (2 of 3)
Cloud Computing: The Unified Compute Model (2 of 3)
-
In this second video, the team will look at how to unite computing, networking, storage access, and virtualization into a single cohesive system. The Unified Compute model prepares you for cloud computing. This will be discussed in the next and fin
Professors warn of arms race in cyberspace
Professors warn of arms race in cyberspace
-
At a panel discussion organized by Osgoode Hall, professors Ronald Deibert and Stephane Leman-Langlois discussed the attacks on Google Inc. and the challenges of working in countries such as China.
more from the:
Video Library
Computing Canada Poll
What topic would you like to see covered in the next issue?
Read the Computing Canada articles you made happen.
•
Democratizing Business Continuity
•
Agility and efficiency through virtual switching
* Sponsored by Microsoft
Most Popular
Articles
Most Viewed
Most Emailed
Top Rated
Most Viewed
Most Emailed
Top Rated
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
Dell board wants more details on Icahn bid
By: Nestor E. Arellano (13 May 2013)
Dell Inc.’s board of directors wants more information on investor Car Icahn and Southeastern Asset Management’s $21 billion cash offer for ...
Adobe’s subscription-only plan meets backlash
By: Nestor E. Arellano (10 May 2013)
Thousands of users of Adobe Systems Inc.’s software are taking to the Internet their displeasure over the company’s decision to adopt a su ...
Canadian health care lags in mobile adoption: IDC
By: Nestor E. Arellano (09 May 2013)
The prevalence of mobile technology is being felt in most in many industries but its adoption is lagging in health care where its implementation are l ...
Fairmont Raffles uses analytics to boost profits
By: Jeff Jedras (10 May 2013)
SAN FRANCISCO – As Fairmont Raffles’ executive director of customer relationship marketing, Andrea Johnson is helping to lead the charge a ...
Edmonton agrees to expand Shaw Wi-Fi network
By: Howard Solomon (5/23/2013 3:43:00 PM)
Edmonton’s city council has agreed to allow Shaw Communication’s Wi-Fi network to expand to public areas across the city. The planned ex ...
Why Washington's lead on open data is worth following
By: Howard Solomon (5/23/2013 3:14:00 PM)
The open data movement is gaining acceleration in a number of governments around the world, including Washington where President Barack Obama earlier ...
Debtholders okay Telus offer to buy Mobilicity
By: Howard Solomon (5/23/2013 12:54:00 PM)
Debtholders of financially troubled wireless carrier Mobilicity have approved the proposed sale to Telus Corp., putting more pressure on the federal g ...
HP profit down again, but results beat estimates
By: Dave Webb (5/23/2013 10:25:00 AM)
Hewlett-Packard CEO Meg Whitman told financial analysts on a conference call that "you can feel the turnaround taking hold" at the struggling tec ...
Time to beef up federal privacy law, says Stoddart
By: Howard Solomon (5/23/2013 10:36:00 AM)
Canada’s federal privacy law is only 12 years old but it needs to be overhauled, says the country’s privacy commissioner. “As organ ...
Think internationally, Kobo CEO says
By: Dave Webb (16 May 2013)
It's important for Canadian digital media companies to think big -- think internationally -- right out of the box, Michael Serbinis, co-founder of Can ...
BlackBerry is on a roll
By: Howard Solomon (14 May 2013)
ORLANDO – Research In Motion officially opens its annual BlackBerry conference here today on a roll with the launch of a new keyboard-equipped s ...
No fee for Windows Blue update: Analysts
By: Nestor E. Arellano (13 May 2013)
Microsoft Corp. will likely not charge Windows 8 users for the operating system's upgrade codenamed “Blue,” according to technology indust ...
Pirate Bay co-founder to run for EU parliament
By: Nestor E. Arellano (15 May 2013)
Peter Sunde, co-founder of the file sharing site Pirate Bay, says he plans to run for the European Parliament in 2014 under the banner of the Finnish ...
Ottawa nurses cut out middle man with UC system
By: Nestor E. Arellano (09 May 2013)
The University of Ottawa Heart Institute (UOHI) has been able to significantly shorten the time it takes for its nurses to receive call backs from doc ...
Related White Papers
Getting a better grip on mobile devices
-
IBM Software provides solutions and strategies for managing both employee-owned and enterprise-owned equipment.
2012 Bit9 Cyber Security Research Report
-
The 2012 Bit9 Cyber Security Research Report presents the perspectives of more than 1,800 IT professionals on the world of advanced cyber threats.
Realistic Security, Realistically Deployed: Today's Application Control and Whitelisting
-
With today's sophisticated and constant barrage of cyber-threats defenses focused on a blacklist "permit-all-except" philosophy are doomed to fail. Modern security requires an application control and whitelisting approach.
Advanced Threat Landscape: What Organizations Need to Know
-
Combating today's cyber-threats requires an approach based on trust, not the blacklisting security strategies of the past.
IFCG Addresses Privacy and Data Security in a Regulated Industry Through a Managed Security Services Provider
-
IFCG turned to No Panic Computing (NPC) to provide security-hardened laptops, monitored and managed 24/7, boasting biometric access, encrypted hard drives, sophisticated anti-virus monitoring and an OS optimized for performance and data protection.
more:
White Papers
Close X