Flash! Firefox No Longer an Automatic Defense Against Browser Drive-Bys

By Larry Seltzer  |  Posted 2008-11-18 Print this article Print

Security exploits still target browser vulnerabilities, but attacks on browser plug-ins and vulnerable third-party controls such as Flash and Acrobat are becoming more common. That means Firefox users need to be as cautious as users of Internet Explorer.

The playing field for drive-by exploits through Web browsers appears to be evening these days, thanks to the rise of exploits through third-party controls. The chances of Firefox users being exploited are a lot better than they used to be. This is especially true on Windows Vista.

The latest Microsoft Security Intelligence Report states, and I believe it based on what I've seen on my own and through other vendors, that exploits through third-party controls are the big thing now, saying, "more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, rather than operating systems." Two more interesting and relevant quotes:

  • For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total.
  • Microsoft software accounted for 5 of the top 10 browser-based vulnerabilities attacked on computers running Windows XP in 1H08, compared to zero of the top 10 on computers running Windows Vista.
So Windows and Internet Explorer are a declining factor in the exploitation of users through browsers on XP, and only a very small factor on Vista.

What's filling in the non-Microsoft percentage? Third-party apps, with Adobe Flash as the most important example. There are others, including Acrobat, but Flash exploits, in the form of malicious SWF files, are very common now. Some of them are as simple as redirects to a malicious site that tries to do other things or just to sell you rogue software, but some are full-out buffer overflows in Flash.

It's this latter type of exploit that is especially interesting. As a general rule, a buffer overflow in the Flash ActiveX control for IE should work as well in the Flash plug-in for Firefox. It's all Adobe code being compromised.

It needs to be said here that the most important thing you can do to protect yourself against these attacks is to be aggressive about applying patches for important third-party controls, like Flash and Acrobat. Adobe has gotten much better about bringing out updates and the latest generations of these products also employ mitigations like DEP and ASLR to fight exploitation even if a vulnerability is invoked. As with most other products, the people getting exploited are those running old versions.

I asked a few experts for guidance on this and didn't get as specific an answer as I had wanted. Do such exploits work as well in Firefox? Are Firefox users being exploited through these attacks? I also asked Adobe, which didn't respond.

The experts I talked to agreed that, as a general matter, an exploit for a browser plug-in is as likely to work in one browser as another. In some cases they would work "out of the box." In other cases there may need to be some modifications for each environment.

Researcher Thor Larholm points out that for the case where memory corruption occurs in an image rendering, you may need to calculate heap offsets and partition the memory correctly before triggering the exploit, but it's the same type of work for any browser; in the case of Flash you can do it all in ActionScript. Does anyone do this work, or do they just calculate the IE offsets and hard-code them into the exploit? No answers from anyone; it could be done easily, we just don't know if it is being done.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel