Presentations‎ > ‎

An Analysis of Adobe Flash security


Chun Feng and Jeong Wook Oh


Adobe Flash is one of the most widely used web applications on the Internet. Hence, the security of Adobe Flash applications (e.g. Adobe Flash Player) plays a fairly important role in WWW security. Recently, we have observed an increasing number of web-based attacks (e.g., XSRF and XSS attacks) leveraging the vulnerabilities in Adobe Flash applications.
This presentation focuses on Adobe Flash-related security issues. We will analyze a few of the latest Adobe Flash Player-related vulnerabilities/exploits, including: CVE-2011-2107, an XSRF (Cross-Site Request Forgery) vulnerability which was used by attackers to target Gmail accounts in June 2011; and CVE-2011-2444, a vulnerability which can be used to launch XSS attacks.
The security issue of AMF (Action Message Format), a binary format which can be used to serialize ActionScript objects, will also be discussed in this presentation. AMF is sometimes overlooked as an attack vector for common web-based vulnerabilities like SQL Injection and XSS. We will discuss a few reported vulnerabilities that can be exploited explicitly through AMF, and exploits that may also be used to attack against AMF implementation.
This presentation also presents advice for web developers on designing web applications with these kinds of threats in mind, to mitigate the risks from attacks; and also advice for end users on how to improve their online experience by mitigating compromise by vulnerability or exploit.