Rich Cannings recently documented Flash-based XSS, clarifying with some examples the quite fuzzy coverage this issue received so far.
Its "The Fix / Users" section says:

Update to the latest version of Flash Player plugin. This will protect users from attacks using the "asfunction" protocol handler

Unfortunately, the majority of the examples listed right there do not use the "asfunction" protocol handler at all!

More realistically, Jeremiah Grossman writes:

- Users update their Flash player – Based on the nature of the issue, I’m not certain of how much benefit to this there is, but might as well patch anyway if there is one available.

- Disable or block Flash content – I think most people reading this probably already do some form of Flash blocking, but for everyone else, there are simply not going to.

Now, the "some form of Flash blocking" Jeremiah's talking about is most likely NoScript, which:

  1. Blocks Flash (and other plugins) by default when the content comes from an untrusted web site
  2. Blocks Flash (and other plugins) by default when content from a trusted website is embedded in an untrusted page - this prevents embedded Flash XSS
  3. Checks cross sites requests for script injection and sanitizes them as needed - this prevents reflected XSS, included the Flash variants

The best thing, making this approach much more viable than "disabling Flash content" tout-court, is that you can allow individual blocked content pieces with a click, having a chance to examine their types and full addresses before running them: this is what may save you from being owned in a Flash ;)

6 Responses to “Flash XSS Protection For Users”

  1. #1 Mobile says:

    I'm an avid user of Noscript, the program designed for firefox.

    Well, since some Noscript updates that were installed, I noticed that embedded Adobe pdf files were disabled by default. Browsing through the Nosctipt options, I saw that Adobe flash extensions were untrusted.

    As a student, using the internet as a source of information is very necessary and i encounter adobe pdf files very often. So, may I request that Noscript has a seperate choice for adobe pdfs in some future updates? cause it would be great for me, and I will not have to click "allow" all the time. I'm also sure that there are many users out there that will share my inconvenience.

    Thank you for listening to some irritating person,

    Yours.

  2. #2 Giorgio says:

    @Mobile:
    You just need to click on the placeholder for the document -- after all, you're most likely going to click on the document itself anyway, e.g. for scrolling it.

    However, an exception list for the Forbid Other Plugins options (which, if checked, is currently catching PDFs too) is definitely coming in a future release.

  3. #3 TikaL says:

    I wanted to know what kind of damage can be done by this type of intrusion? I use Flash on almost a daily basis. i Might not be keeping up with what can be done... but this is interesting to me.

    Thanks,

    TikaL

  4. #4 Giorgio says:

    @TikaL:
    Flash XSS can do anything a "traditional" JavaScript XSS can do, from credential theft to session riding (impersonating yourself across the current session) to complex CSRF despite anti-CSRF protections which may be implemented on the target web site.

  5. #5 TikaL says:

    @Giorgio:

    Thanks for the clarification.

  6. #6 Macromedia Flash 8 Pro says:

    Macromedia Flash 8 Pro

    Rich Cannings recently documented Flash-based XSS clarifying with some examples the quite fuzzy coverage this issue received so far.Its “The Fix / Users” section says:Update to the latest version of Flash Player plugin. This will protect ...

Bad Behavior has blocked 12580 access attempts in the last 7 days.