|
|
|
Keeping an Eye on Adobe Flash Security Means Catching Common Programming Errors
By: Brian Prince
2009-02-08
Article Rating: / 3
There are 0 user comments on this Network Security & Hardware story.
Insecure Adobe Flash applications have been targeted by hackers looking to compromise Web 2.0 sites. But while Flash security is a popular topic of discussion, the most common vulnerabilities associated with Flash apps are due to general programming errors we should all avoid.With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure
Adobe Flash applications can be a difference maker when it comes to
avoiding mass compromises.
It is not surprising then that some are calling for developers to pay closer
attention to Flash security. IBM,
for example, just enhanced its AppScan tool to add the ability to test and
scan Flash applications.
At the ShmooCon 2009 conference in Washington,
D.C., Hewlett-Packards Prajakta Jagdale
used her presentation Feb. 7 to focus on common vulnerabilities in Flash
applications. In her research, Jagdale found that many developers leave, for
example, uninitialized variables that leave applications open to cross-site
scripting.
But as she noted in an interview prior to the conference, many of the
common security
holesfrom
input validation to having user name passwords hard-coded inside of the client
codeare not exclusive to Flash.
These are the general principles that are security principles that are
applicable to any sort of technology language, said Jagdale, research engineer
with the HP Web Security Research Group.
Earlier this year, the SANS Institute teamed with a number of experts to
produce a list of the top 25 most dangerous programming errors. That effort
involved people from more than 30 organizations, including Symantec, McAfee and
Microsoft.
The idea was that publicizing a list of the most common problems will cause
buyers to exert more pressure on software vendors to certify that their code is
free from those errors.
The certification, the authors contend, would put responsibility for the
errors and any damage they cause in the hands of the software vendor.
"There appears to be broad agreement on the programming errors,"
SANS Institute Director Mason Brown said at the time in a prepared statement.
"Now it is time to fix them. First we need to make sure every programmer
knows how to write code that is free of the Top 25 errors, and then we need to
make sure every programming team has processes in place to find, fix, or avoid
these problems and has the tools needed to verify their code is as free of
these errors as automated tools can verify."
Whether or not buyers actually start to put pressure on
vendors, avoiding common mistakes like the ones on the list or those
mentioned by Jagdale protects us all in the long run. Certainly, there is no
shortage of sources out there for information regarding best practices. Adobe,
for example, offers a number of resources for developers looking for
guidance on creating secure applications, Jagdale noted.
"All these recommendations are provided by the vendor ... and whenever
developers start developing any applications they should make sure they read
the recommendations there," she said.
|
|
�������x}r㶲s\@♵MR%ƶ,xMT(��S�IVr�e��oВ8%\�@h4��{$�W7-gL.]snS?úO
Y'Tw>{�&(ˑԫ�1m3�HnwݶN-gP'^��> \?g3;Y|��� tjOt0.Pk< jZ5��3j5ԗoˏ~e0��.ZIQ6*6!j��:i�?Xش�$�1qDñh]
�QQ��ږyL6�G�H��"C7�ܩHr��6#RTRX^P~�FD;玗r�#�|�=x:a/M˟�m�ڮ�E�X'/�[v�B�1BE��/u�#7J;v9"�QcO$ա%Uq�˝LJ^tf>D�>8�z�v
v=rJ�53ҧ
=K�;O=k��\w=j�P?�b@2hưaIp��l2X�pa�Rb
#Ϟ~b[>4�:�]fu~�ƷP7nǞ;w#27 vQKv��TmCO|lMݟP>�I
�uaGG�Hu3osX�2n�
dþ=RP*qR,�*cgQ>o9{ۖ3p)sgyÝ|kZ7�~](eU�w>H� �C[wn�
-%�ZA;l^wz>|j]\��r m���o%&�W J�DTRBx$"���Pc@GNj${/@BK�oVQ+aASc T$0yY>E�4bEUC$vߔM-~{Huz~rn!|#9ĠV*�PFbЊ%+5�2^tܜ5o/9nWMuI}!)|v�!5MP\ܱ8ڪV�7`Kė6O^�SQ�&�:aZ+UCICsmI��O.ڧ$'MT&y��tǷPZ,r$dBrZ~@X*V�� Q3o�f5
x�[&%�0ɔc�Pu��t:9�CsښfC�+t�U&T7o`�H�2� S��Is뮖;�j�\K}0�[-RF &�\
��a�C\ش�6�,%��hJ@{d$e��$�}ВYtBF(8
.)J�""xN3�qE�KH�@!=F!8�N��#8U%Kus7p@e
}rNTʊ0Sr{禷H
n�uV$nO^�K�/�364>p�X.B2iK1.pJ۫Z|�ϏV)Ab��CU95b�(WZdL��4��1,ϘP7HA^g�?σ�54SOgǘ>5ֆ$RCGs��tD�AG6V^�zK
tcb���>'ä��p�p|w��͇z9Թga��K��UԇRVi�I
�t"&q}s)кy�&na1C?�JlMnP�>h^0�h�p3�*~s`�=�>�o��߃5�#閭�-�T<�ģܠ>̨�C|'s\(L7^"��y"�h"D& �
��T�A'�E�FNN�@@7�O$^I-TbD�J�O�q$]cwJ�"JX*QYl�p[/ �rRdZ0u <"`*�ˑe*0pMSx6QnZbަ!B~^�i8w.]Y��U� =j�ʫ+Kĝ}ˁ%XF0O�̡ GLx�}Dž?ǘ�6R�\[eX�4l9ڴD^PsĽ'�Ќ�7_ayaAzs���2郅d�O-�dLAqϝ2h� JdB[ assSmlgK4'R\֪�4�I
�̇R >5mU�AJ��2�t�͏E=kb�$~f��
,DYBbOX�7��rkKF+UʜWRY'e|)�WNY�ָc$] ֓6_2���˧��L)ESr��6���w'NѫU;z�vM"kBXؽ@�r6�ҁveZZ�@-��ĿU�i
m7VX5oQV0&���4�)�i�iY�lcyt�y:JIaR�еہ`��,�YNܛwXUM.r
�}dҶ 7�=`tu+ ��ЙN�тP�
l1��JYY�,,qThjU,��-�"�|�7@(
��˖X
bЁUrcڋҝebeS;k);UC_HXQ6Ϯ[-��V!P\(L8`C�LmRGM}Bu߲��gWKn�Vl@dX.)�UqH~�6��=2e]P�T,ڠ_#l̠::W�$cifh�SKr����M~��ά!ֳӐPQ@1�"^Ou/��5GaΠܧ^۬�vB57�nB@ŁǨ,u�-Tn��]wlSIBnA��E)'>E�5a }�d�6]D�z�퀇4`H���A�Db��6���$>��\P`�t>*
eX) 5*:IMy�m"`/?�ˇ%ʹ�谣H =j=gdl3ʫ<2
y���әZ�
J�qtheU-UjR5�D;ϏxW�E�"IϨ���Pt@�qD�R
&�`�j@$��p�LM{6�baβ��J);�oiH�y6$�+�yZD]bRXE�G�znѵf�@\=pj)?FMS؇Qcm/ kR9�Tk�/�zoΊ.EՌLtPȐ�hNǓ�W�ȡ5Th7 �8U��PG*lpϛ3GD�*@7Z �ɦ~gZitU�JC<ϤURܝ,|ˀ�dyM?�M�C� Wѐ�ZD#^�$}#=U,�A���EUPU(V
�$�y�Vp8,h2+�#4�+��ǽa�n?�9 �1ķ�TI�KW.)w?�7ϰ�;�mNb���4PF���}V q�
ev,�طh;�CX�I3$#�ڰ�K�Cnƭj`-ӪV�$,< ��(<�d��=hثp�M\&e^M%%;S>S�5��^
�~Si{V9���T%5͇RiE�mT)玿ߓN\Z c��( rA-��ã{(�d�2rY��+7�'�ʠ��K�Z8`�<"MMXhc
\ٟxsɖB�z$DDOCV�g'�+�ʬƸ @48'�o/���ZU{" }M�ޟ�p_م�b�ݟy�k(,��'@ޏ�}ﻛv~D
�;>\e��2a]=}Nowx0�Vy? 0WK?V�2�Ї_U#R:&i)/�[Vc8K!6�g5ރ �2�`i8Fjx{LC�>rfWϋnl_y�60u��8�.o�d�hXw.�is/�UKJ:tE's=B AH#���zW!zN/ZnfS L
k;d8)0'hdqH13^z0l�6��:uu͉�]9�kI*D|=d_5湜gHܰX
x0�G�v^ޚ#s�~m�XLXoH=(_1a��X��H]�T
�dD^4>G2sE�1����^S�F(+b�K)"$Dٌ |E�ii�o/aANa�1:�}Qt"ڿBO/b��~C<�B<�_dxD���'BٰGg15\6I'ҹ8 $CebS`݃�/Z�s;�i!�Q2�7��?xKP .Mu>Ro2MD�Y{�.N�m�{-~=w`��Rv��PR)&\z*I�;˼
ݖ6h�9K2)!M\�F(RL P6lO&y=%lQ1 i(KBi%�lbTH{RoO�m\mpV�Pt.+P}~綱��yx3*i1�(5�~q�.�H�>a')-�GH
T䵤�
W[dUH.~B��/R. L8�)T�z@0PH�刜|1}~YU=��`LM\g���h]G(WP�v4qkX�9,3�Zt
v�gcDr!N{H,Ɖ;-�!�Iߺ&s��+=F���=g7o�m�T�2�}qB[�ٿ[o5e's
C7+۽t9niXnơ8�
���^t,$�$yUZ�U3$]d%�]�FrZx?2��M�3}ݺ��Jf�����2iAh�3�O7n�C\j`l_�c(v@�k~=ϸ�2]a��
���XjmD.]9n��p;D�98E^Y8Z�䑼D�qD%��t`��v�U6�m>=�-S��Z�~D� Rf��O�mMN���i���j&ǎs�$��gr0G �$T8h�|n�wkLlll���4�RbШ,rj9٦p��r[���m�P\k9�>m`��ܭህ:��Yx{Dn�ě��OЖKzs�Eq[*mt;젃jxSdn�O']=0&�ݻ�����ٯ?WRIy�{
~�RzTV��3X6&I.:3'�*!fr{Y�pY|Z0%�m�r 8����
-)rSpqIޛ��ߑ%[;�3 .��s@��R'
3�侍C$l�~'lD~�-0n!2-:�YAJ}wXjB{K�@-p�tFg1�4|p4vYD4X/8�j1Ԏ<�ζR1~lδ8,3�N2~X!g\jزX3%�v4�~)l�vݍē�<=7 �Q%�6��VT�R�i"q6jcHHmR/�^�N"�OmXEs (RS:xJ]{d
:nIjȂe{CW?"Q�$l���"�o`�,Rۭ\(hh�]!s!Űy�ZRUIS&/ez3�\�$���[]Gt@bOVZfi��>a�c*
0ȸBEOtdtԟ\uwJTm)R�[R�6D;Ý0!>ΰ��ѝJXݒ*h_��I'4}Uˇ�dL�d� a��ЉW��*,DPTV/)?/.?ϻR_�Tps�G�ש516y0�r芘��T�C}]Y 1�lԟQyGJT
Vؖ�K/NהȤ�[�ŒJ�h[�L�C%KXP9t'&FzYH ;�;WyZ]ޖ/NkKk)N��4XD�B0:q��<"क़t ��f�UXEiODIaj5MRZ腍6J.��c0T�qb>�F�8:C�}�_@+|�j�Tz]ɵ,)&rea-\;efv
voq&O!�f�f�f�f�&pعW7-ᛖ!<�
\OhVu9�Sx4)�&�+d~
�dE21��SD����y9ڟV?�I <�/ےaFa
1LS'�^[j-��q;�Ā/KNoz�{s)?½~�x� g?h�֘>%�7Zb50�"ŐU)H[RY�{>g�� V/i Ro�)}jP¶7��&X]�Kit�㌶��Vߐ$Q�aI/6PH>^Nt�RK*b/@FOgbjZ)lr5I�>�'y@�>�+VY8?�Ɩ��k|f=H;F42J)@h��V1_ �m?p|H-�3`R3ğ�+Dpnd!�\�e�)�!UJJElrQ�xQ�_�O"�< @ !�
xiy�JO%E�^zW@�>�.\TlN�+wٻ*Cݧ�Y� w���AHD@U1!: !=q�)h?&kwIs%w"ffff|âR8|H5zͤx][�u
e}g[&�G�!�@B�g�Pi@�H?�U�
{۱ַ-孉V��3"npDXQ��+jfvZ�L}%k})~2&SUQ7SRLP؎C
G5zFk1ԟK�pn�SRc�{fv :)V��38��Ϋ]�bdG4w+ٻ̢IGk\9I�$$j[{7-yv,M9_ۢ�Z�!@sR3mH]S_dOZ���p"q Ή
� i]k|m�U
)�#]]ǝ|g��VT`9kGu#oh�
�}�;~4�mw�s7�Cb`cwP)=h%|%GS0kf:.W٫/#/[e5�ҙ3ݶW^��WPj_e�;�#ķz4�<�a!0t`۾��p�l� !٩�/ͤ��m
Z1��ߦ��ym_m��@R<+
U+{l��ȊhkkٵqdyN;�RmV./Jh$&b4;ch�<��y{�©وj:!VJ�E:`�W'�+┱fnm����9s?��FI4R�/"J�G+t��z`�]g���4�ε7
d=��O�/Em/pQ}}ݠ2/�Xö˿�$lz`'r۩-hMVLm!��0V��xv��Dq~�x?ߴ{��'5n;*��g��dCҏ"w@9Ъ�
ek�>7jE_A-ôhgPߨ����ό3QJC!E����[?wA׃Ow�@�a]I��Y$i0ߣ�>��Y?͠C䷿T}fɷGwQ־cd2Q�ȏB�Q
QEo�� �_I¢�Zt�OH �2E��M!
$�jRt�u�U7-yM15цX5�0~�,f�h;�b�=��ڹ-rX+ ~Kmy�5�Jr�5�77�ںsZ�Yr�jLx ^E�8�_gclS|fb0 ؠ�Z�GInLٸ˰0-|ri;�.Ru���s�!["�̶fB�?ZA)rx�!?�ER/ؕժTjQ�ܣF 37�ˁ]Oz5k\Cm֘/�9hid�Z{#qȋȝGF^*iB�yK�0
���=�/�oM)%,xxX �B�{?LO~K4�cC�@G��0cۡ/0经UztWc5v�JW�EEuJ`��п���^Rc$�W6 c,�d{:;3 (�f;Vv���fRjs>ѽ^BWz!�u,u=/:O�yX~��):Β2�/0L~%U$x[jhwQf1�V� 纣;~� ��Axǂ=>X|G,%_ۄ�z%|�#+�#�oEi.ê3}�b�@\W1�JzM ;ex�i)Z�B"z!Q_*J�@(fiir'�o&'�졢�>T�o/�(P~ЪQ7>6<|�yw�hw�%]���F-�:�&|dE� ')MС
���r@JoIdg�8�|�m@�1"r?��
IG��ԗ�HM*�m�vqU�@��y+��DL�MzD!kC1P/MJ�0�s�>7�Li0qA�>0<(SG�]ĝ?]qPO��7Ё@V pϒwgy�:tVQ�1e&��}Ǟ*%n��wKM ᥇"F|lN��]ƒ�$�BqнӜh߰2��\/3 yA@�܃f�cp2� #GYkOV/3i˘�Јw�S;�=y��q*9��.�
Sz9<����#p��5yhzXoyG~|_<ڻsϬMU����IA6KE>]l ��x�P�[sԙqE!֢@�)+z�yXk�-g4o�?J���A��zӏg�x5CZWA�V`l}�Tq4
j5%pJ!�J81�|
HM��3wN08
aȆnLIL=CV}5h]WqTѰ�8Ʈ;�%P7�m�IfT.jZQo\)Uʹ俓kD2��bx�c�UUEVr�o�VV�K
D`q>C���xt>�`2?6UJ`���z!� r1�=4cdKћ;BDO"���&X�� ڼx�`T�!;7 5�@1�L�o�r;Xr�-$R>gD.A3|Ɲ�_q1q7
߄^RV4ڍ"o�<ԹNw�s@OG=x�,T�~�f�.g��
�ě_#�hأ{wUıPr
P_dz�l1A�Щ>�b]d�L$pgB-k˻�>�He!�#˦&�R8�>(�8D�[-WPخ1"�QSn*
ur$~|5K�6�E$x�:)r��+>t]�a�z�E>˫BOƬ6x6-Ӆ'VP���w��I�;�n�uVkR0A<��! #���*aL I��U?�I[E{| -r�
{2v3&�o�F�"g}#�oav�]&
~з�)%,L$Xm%8uP#䶻sa����e�o,=Td1|]BU}�C��1̍^x�ƁOc�Y{6\�$%4-뚈�1e%['"MzGmwa=v��ĺ�FKBt�|m�{Dj9c~`�� ;y8`�-<�>lRoY6G�Y~y�,XoMD�
,[K�|�iC��n�809`"��s<`2xr/Oe]ZaiѶ��Z
Q�/~j\O(Ck
�GL��,>�iЄΧ�ap祎�h��hU|��>cy w}�_xut#AY��=٭��Q0"p,^^f h|�}�ρ XsCQ�&7
�=[CH�ʍt�/�A�9:YG�~���0LĶ2�ئ?MkSw�)+S%ǔ,@Ƃ?�qLwfø)
3/��u@NDvg˫PyGm<"^|:um뎮�E{�gu�ݍfmE+��]f'[ۧ2�й=-{�/���y;���=)�,/�{��Q�Ib�FK �8u
PѺ�V��"�!a|"^oѧn-/ـ9@����3=֏*u�el6r)
XGڦF
Q`W�~ib=y螉=��ve+{B760*�<Ǹ�mo��+@�>���{~��w1G�04co~�ͳ-lI12�#,�$8zIW6{{&7�&�iyccC
v_ʉ~ph;?�"Y>A� wvǰ�.XP!Ƨ۹7�O�Ч�UHF>
�T.v9ϝn,m���S$��˩;[PS'�>�e #�.Vs6ݛ+[Tchޘ'�,E�1ԛaD(�=��Z���Ê{|�XK�z\�qJz���h
FK+,O�{(F=8~?Z}ڹ\`gh-=i~xxՔ6҂&!t4��!�6dA|g�
.N|>Gy6��x�T��eTU�~$7Mѓ�ec.P)V�[kqCۙ�W۲M�*_d%r�R�W�EiQ}*'2{f(1vlƝl n!%56|O`�k�
EW�]�w�*��
|
Network Security & Hardware 
