Expert says Adobe Flash policy is risky

A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.
The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview earlier this week. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."
By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.
For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.
Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable". (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)
Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.
Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.
Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.
Asked to comment, an Adobe representative provided this statement:
"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."