jd/adobe

Just saw a Friday article in The Register titled "Mystery web attack hijacks your clipboard". The symptom was that someone was surfing and something started perpetually writing his clipboard. Dan Goodwin referenced "sandi" at a MSMVPS.com blog (sorry for not quoting your last name, Sandi, but you don't make it obvious and I didn't remember it), which in turn referenced a number of forum threads which were said to describe the issue.

This forum thread seems to have the most descriptions (possibly of multiple issues), but the screenshots and partial descriptions don't seem to mention any particular SWF at MSNBC.com. As in previous Flash warnings through this venue, it's hard to summarize the main evidence, drawn from various disconnected forum posts. Dan Goodin said Sandi mentioned Flash, but I didn't see where she did (other than with her weblog template about "flash malvertizements"). There's not yet a succinct case.

It's plausible that some webpage has some rogue SWF which acts obnoxiously with the clipboard. Might be a JavaScript thing too. But let's say that there's indeed some rogue browser element which just yak-yak-yaks into your clipboard.

Two questions:
1) How did you get to be executing some logic which acts so obnoxiously?
2) If you're using a browser to surf the web, should strangers have so much power?

(The answers are already here, but let's run it fresh again anyway.... ;-)

How'd some rogue interactivity get into your browser? Probably because of a trustworthy webpage with untrustworthy third-party content. Ad networks are big vectors for third-party resources. Web-based services are another way to introduce third-party scripting into a composite webpage. Even a third-party GIF can no longer be completely trusted. Sandi's page is pretty secure, but even this is executing scripts from three domains... the article at The Register is executing scripts from six different domains.

As Nat Torkington described, if you're republishing third-party JavaScript, even trustworthy sources may prove untrustworthy. If you're accepting interactivity through an ad network, then they don't seem to have formal processes to vet the people they forward to you for republishing.

If you use Firefox and AdBlock Plus, or have another way of inspecting third-party content on webpages, take a look at just how many domains are involved in creating the page you're viewing. Each HTTP request for a GIF or a JavaScript or an RSS or even a ping is registered on a server log at those unanticipated third-party sites, and for interactivity (.SWF, .JS, whatever), your browser will be accepting instructions from parties other than the site you're visiting. Modern sites like TechCrunch invoke dozens of scripts and ping even more domains whenever you visit.

Should webpages have so much power, as to be able to copy to the clipboard? Probably not, because you can't trust everyone else we allow on the network. Early email architects didn't imagine spam, but spam is what we got. If we want to safely click from link to hypertext link on the World Wide Web, the most stable solution is to give the browser experience few privileges.

(The alternative (which failed for Microsoft in the 1990s, and which Google is reviving in a different way with their search warnings) is the concept of giving some groups of publishers greater trust than others, which leads into an additional class of permission-raising exploits, spoofing, and so on, as well as all the subsequent social opposition from the less-privileged classes. In these days, when even your local domain-name server can't always be trusted, favoritism doesn't scale at all well.)

Web browsers need to be able to safely visit any hypertext link, safely execute any instructions they may contain. To gain greater privileges, it seems smarter to use a separate codebase with a more generous sandbox, than it is to set up permission schemes. This is the fundamental reason that I believe the various brands of WWW browsers won't be able to act very much like desktop apps... the needs of visiting any strange site safely conflict directly with the needs to be trusted and powerful parts of your daily environment. Theoretically possible; pragmatically fragile.

Anyway, on this story at The Register, I haven't yet been able to identify the exact situation from the descriptions. Clipboard-spamming does seem a possibility. And the trends of composite webpages with third-party content makes it increasingly difficult for in-browser apps to act like desktop apps.

Summary: This report needs further investigation.

Posted by John Dowdell at 02:06 PM | Permalink | Comments (1)

At ZDNet, Ryan Naraine of security firm Kaspersky Lab advises to doublecheck the links you click in Twitter or weblogs: "A Twitter profile has started lending links with lures to a pornographic video of Brazilian pop star Kelly Key... If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine. In reality, this is a Trojan downloader that proceeds to download 10 bankers [password-theft malware] onto the infected machine, all of which are disguised as MP3 files."

Bottom line: Clicking on links in social media is like not washing your hands after being out in public -- you just can't know what you will pick up.

The part that worries me the most is the "says it's Adobe Flash" part. We've seen such impersonation before with files ("Naked Wife", eg). But to actually impersonate a very well-known runtime? I'm not sure how that will play out. Some people will fall for it, and I feel for them, but most would see through it. Still, some real people will be hurt.

David Lenoe, from Adobe's Security Team, had a blogpost up about it today. I don't think that the people who need that reminder would ever see it though. I'm still concerned.

Adobe is not directly involved, but the infection relies upon using the existing goodwill towards the overall Adobe Flash ecology... without all those sites which made Flash a standard, this social exploitation would not work. (And Ryan's article doesn't clearly state whether the link is to an .HTM, .EXE, or other file, so it's unclear to me yet whether URL-shortening services are currently enabling the exploit.)

A bigger bottom line: Someone out there in the world is going to get their bank accounts stolen because they saw a dialog that said "Adobe Flash" and they said "Okay". I don't feel right about that.

Do you have thoughts, advice, observations on this? I'm seeking different ways to look at this problem, different approaches we might take. Open to anything, thanks in advance.

Posted by John Dowdell at 07:47 PM | Permalink | Comments (3)

... and a wee little bit of "The Open Web" sandwiched in the middle?

derStandard.at holds an interview with Novell's Miguel de Icaza, about their Mono and Moonlight emulations of Microsoft runtimes for Linux. Miguel also points out the convenient blindspots of those who argue against technology solely on the grounds of "It's not The Open Web":

I mean, how many people outside of the technology world really know about Linux at the moment? And even the Mozilla guys - the keynote we had here was done on a mac, every single Mozilla developer uses a Mac. And it's funny, they constantly attack Silverlight, they constantly attack Flash and then all of them use proprietary operating systems, they don't seem to have a problem doing it. And then they had the Guiness record thing for Firefox 3 and you went to the website and it had a flash map to show where people are downloading - so there definitely is a double standard here. And that's after all their claiming that you can do everything in AJAX - so they definitely don't 'walk the walk'."

If evangelists try to say that practical realworld web technologies can be tossed aside because of alleged philosophical impurity, then why aren't these proselytizers using some type of Linux box, instead of the super-secret tightly-controlled Apple hardware?

And it goes up a level too -- if you're really concerned about open use of the World Wide Web, and are against proprietary secrecy, then wouldn't you avoid accepting primary funding from Google, who has the biggest databases tracking consumer behavior on the Web, and who refuses to allow people to access the files Google holds on them? (If you're not up-to-speed in this area of cross-site tracking via third-party content, then try EFF, Wikipedia, or me.)

When your mortgage is ultimately paid by selling consumers' attention, it's a little disingenuous to throw rocks at others who just sell software.

We accept "proprietary hardware" and "proprietary OS", and run through "proprietary service providers" to bulk up "proprietary ad networks" and "proprietary social services", all to build "proprietary behavioral databases" for a sugardaddy, but dadgum we can't be using no "proprietary plugins", nosir (unless'n they're our "proprietary plugins" that is)!

It's like seeing a supermarket ad for "all natural ingredients"... nice enough at first listening, but just what does it mean? And if you met someone who insisted on eating only "all natural ingredients", but couldn't describe what they were, then that could get more than a little weird too.

I think it makes a lot more sense to just neutrally weigh the benefits and potential risks of various choices, and not to dismiss any choice out-of-hand for religious reasons. But if I were to argue that certain choices may not be tolerated, then I'd likely try to make for some reasonable consistency in that intolerant stance. Why feed Apple below and Google above, if you insist "Flash is subverting 'The Open Web'"...!?

Posted by John Dowdell at 02:42 PM | Permalink | Comments (1)

At eWeek, Larry Seltzer raises some good points in his article "The Big Bullseye on Adobe"... definitely worth reading.

But I think the main reason the bullseye has been growing has been because it's increasingly financially rewarding to attack any widely-distributed code. The growing value of your digital data and digital identity now draws attacks -- in areas which were previously considered safe.

Browser security practices which seemed acceptable ten years ago now entice exploit research... window requests, "javascript:" requests, cross-domain mashup requests... many of last year's Player issues were closing off plugin requests that browsers and servers should no longer fulfill.

And even coding practices which seemed acceptable ten years ago now need to be redressed, as April's null-reference pointer discussion showed. In networking code, domain-pinning is now seen in a very different light than even three years ago.

Web technology tends to be too accepting of innovations, and we only look for the dark side later. (That's "imho", btw. ;-) The people who created email didn't foresee spam. The people who created TCP/IP didn't anticipate actual denial-of-service attacks. The people who thought email needed colored fonts, images and JavaScript didn't handle the subsequent problems of web bugs and beacons. Early blogging hosts didn't anticipate comment-spam or spamblogs. The holes were there early, but weren't valuable enough to exploit until later.

The risk of an attack does grow with the "attack surface" (the amount of code, functionality, and entrypoints), but the risk also grows with the "attack incentive" as well. When technology leaves a hole open, it remains ignored only if no one finds it rewarding enough to exploit. Lynx may have a small attack surface, but there's little financial incentive for attack research as well. Successful technology draws continuous re-examination.

Do things like AIR and Acrobat 9 increase the total attack surface? I'm not sure... adding existing things together doesn't concern me as much as some of the new abilities, like local file access or invoking third-party code. The team here is pragmatically paranoid about increasing any attack surface, but I think it really requires a few years of realworld probing to test whether a new combination of abilities is immune to exploitation. I'm not sure I can yet agree with Larry's initial point about SWF-in-PDF directly adding to attack risk.

But I do agree with Larry that Adobe's clientside runtimes are drawing increased security research, by people with vastly differing motives. Adobe Flash Player lets you reach practically anyone, and criminals will also seek to exploit such realworld accessibility. That's why the security team here is so important, and Larry included a description from Erick Lee about their approach:

"The Adobe Secure Software Engineering team, which I manage, has industry-leading experience in building secure applications and is a core service provided to all Adobe product teams, independent of any specific business or product line. Our secure software engineering practices include threat modeling, automated code audits, in-house fuzzing, bringing in third parties for external security reviews and more. "

(I also agree with Larry on "people update Flash, but maybe not fast enough". Last week's "China exploit" story (which was subsequently retracted by Symantec) may not have been possible without the wide publicity given to the null-reference paper in April... the blogosphere ended up arming attackers without reminding civilians to keep their software current. Giving the public some time to react would be helpful, and appropriately updating articles and accepting comments is, of course, a vital responsibility.)

Larry Seltzer is one of the better security writers out there, and he's got a valid point here.... Player, Reader, AIR are all under increased examination by hacker gangs. They have great incentive to perform such research. It's hard for Adobe product teams to push back against developers who want more local-access features, but it's best to do things slowly, open new doors one at a time, and listen for the actual results. A phrase like "The Big Bullseye On Adobe" is a realisitic description of the situation today.

Posted by John Dowdell at 10:45 AM | Permalink | Comments (2)