So.. rapid7 notified Adobe on Sept 18th, Adobe has built the fix into the beta version of Flash Player 9, and now a 30-day "grace period" has passed and rapid7 is letting all the script kiddies know about this (before Adobe can roll out the final build of the Flash Player). Bah!
Here's the list of solutions according to rapid7
* Upgrade to the beta version (Flash Player 9.0.18d60 for Windows), which is fixed;
* Only allow trusted Websites to use Flash;
* Use alternative Flash Plugins (GplFlash, Gnash); or
* Uninstall Adobe Flash Player.
umm.. how about "Let's keep our mouth shut about this until the public beta is complete (which if it goes like other Flash Player betas will end very soon) and the new version of Flash Player 9 is released to the public"?? THEN tell everyone and their sister to upgrade to the latest Flash Player. Or.. if you're serious about helping people --> provide a freakin' link to install the Flash Player 9 beta. Sheesh..
My bet is (and I'm betting I'll get some comments to this effect) they're of the mindset that the Flash Player should be updated IMMEDIATELY after they report a flaw. Like it should be updated the next freakin day. I'll say it - hell no. If the Flash Player gets updated it's a major deal for me and many other Flash developers. It has a long beta period in which people like rapid7 are allowed to bang on it, and then we developers need to be able to count on it not changing for quite a while. Rapid7.. . you had your chance to find this long ago and you didn't. Now you want to claim some glory at our expense... that's very uncool.
And that bit about "Use alternative Flash Plugins (GplFlash, Gnash);".... oi..
So they've just told every script kiddie out there how to exploit this.. and those of us who make our living as Flash developers have to tell our bosses/clients/friends to go install a BETA version and then they'll have to install the final release when it comes out. Thanks!
Yeah, I'm spreading the word about this vulnerability too, but unlike rapid7 I'm providing a link to install the Flash Player 9 beta
18 Oct 2006 at 10:37 am | #
I agree, it's a somewhat unusual situation, with exploit details announced via press release.
From what I've understood so far, the ability to forge headers on XML requests doesn't harm the client machine itself, and servers would have to protect against forged requests anyway, but there could be situations where someone uses a SWF in a vulnerable browser on a particular unprotected server where there would be real effects.
The guard against this forged header made it into the new beta, but it takes a few months for the world to update its software. It is indeed an unusual situation.... :(
18 Oct 2006 at 11:13 am | #
Oh my - it's just about sending some fake headers? Come on there are zillions of programs out there that allow you to do just that but much easier. And you can do it with any server side scripting language, too. I would rather call this a feature and I would just love it if Flash officially supported this kind of operations.
21 Oct 2006 at 12:30 pm | #
There is nothig wrong with what rapid7 has done. Adobe must be a responsible company and they should respond to issues quickly. Not months or weeks, they should respond in hours.
Hiding a vulnerability is not what Adobe and flash developers should do.Flash developers should demand Adobe to come up with responses quickly. Bashing those who find and report vulnerabilities is like supporting Adobe's slow responsiveness.In long run, this can put an end to the great Flash player. Always better products will emerge to replace the retard ones.Means a slow responding Adobe==Hungry flash developers
If you paid for Adobe's Flash IDE, you are entitled to get the best service from them.So stop acting like a baby.Start demanding.
Flash has the power to rule the web. But Adobe is the only thing that prevents that from happening.With their stupid lisencing practices and closed nature.
22 Oct 2006 at 11:06 pm | #
Mario --- You're right, there are many programs that allow a user to forge headers. However, what makes this particularly dangerous is that the request comes _from_ an unsuspecting client and no malware has to be installed on the client. Because it's going out through the browser the exploit can take advantage of currently open sessions (online bank site for example). Some very nasty stuff is made possible by this.
Bill -- If you're suggesting that you would rather have Adobe make the exploit publicly known before they've allowed Flash developers time to test the new version on their existing content then we certainly have differing opinions about this.
I don't think their response was slow. Rapid7 has the wrong date listed for when the fix went to Beta btw.. it was available Oct 3rd.