Engineers at Adobe Systems Inc. are classifying a new hacking method that breaks a Flash sandbox security feature as a "moderate" security threat.
If we can find a protocol handler that hasn't been blacklisted by Adobe and allows for network communication, we win.
New research made public by application security researcher Billy Rios this week demonstrates how an attacker could bypass Adobe's local sandbox security feature, which prevents Flash files loaded from the local file system from passing data to remote systems.
The feature, according to Adobe, ensures privacy by blocking local data from being leaked out to the network. In addition, the security feature prevents local file system SWF Flash files from calling an HTTP or HTTPS request.
In a blog entry explaining the Flash local with filesystem sandbox bypass method, Rios said it is relatively easy to bypass the sandboxing security feature. His method could allow an attacker to transmit data to a server without the victim getting any indication of the data transfer.
"In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists," Rios wrote. "If we can find a protocol handler that hasn't been blacklisted by Adobe and allows for network communication, we win."
An Adobe spokesperson told SearchSecurity.com that engineers determined several factors need to fall into place for an attacker to successfully bypass the security feature. SWF files are rarely run locally and generally they are loaded in a browser plug-in.
"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," the spokesperson said. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."
Rios said the method relies on Adobe's use of protocol handler blacklists, which prevent the protocol handler from transmitting and receiving data. A simple method can bypass most protocol blacklists.
"It's basically impossible to create a list of "bad" protocol handlers in a situation like this," Rios wrote.
Apple, Google, Microsoft and other software vendors create a sandbox around some applications to try to isolate the application from certain critical operating system files and network protocols. As part of an initiative to improve security, Adobe's engineering team has been working on sandboxing and recently released Adobe Reader X, which uses the feature. In December Adobe released a sandboxed Flash plugin for Google's Chrome browser.