Flash and security

2
votes
  1. How does Flash weight against Silverlight and Html5 in terms of security?
  2. If I build a website in Flash or Flex, is it possible for a hacker to affect the swf object and compromise the visitor´s computer or affect the way he sees the swf object?
  3. In the past Flash has not been considered secure and still there seem to be security vulnerabilities. Can a hacker use these security vulnerabilities to affect Flash/Flex/Air applications in general or does the hacker build a Flash application that uses these security vulnerabilites?

Thanks

2
silverlightflashapache-flexsecurityhtml
I would say that Flash has come under fire from a users point of view, as there has been questions asked about whether Flash's sandbox is secure - i.e. if a hacker could create a Flash object and place it on a web page to access a user's private data or download a trojan onto a user's computer. Flash has many settings in place which stop code being executed in a dangerous manner however.Joel Kennedy
Security is a matter of how many layers you want to add before you consider it secure. Adobe has some very basic layers built into the system(like the crossdomain.xml). Just remember any data stored client side can be hacked/modified. Heck the IT admin at my work is probably storing this comment right now as I click the Add Comment button.The_asMan

2 Answers

5
votes

1) Well, in terms of security, HTML5 would be the 'most secure', but really it comes down to the browser itself. Safari can be hacked into in 5 seconds while nobody has been able to hack Chrome yet. When it comes to Flash or Silverlight, both are pretty much the same, but Flash gets more flack because it's the most used/popular. It's like trying to compare virus' for Windows compared to Mac. If someone creates a virus (or a hack in this case), it's going to be for the most popular medium to reach as much people as possible. I've never had a Flash security flaw affect me and Adobe is fairly good at providing a patch within weeks of the issue and making the public know about it to protect themselves. It mostly comes down to common sense; don't open sketchy emails, websites or attachments.

2) The only way for that to happen is if someone hacks your webserver itself and places their own file there. There is no way to change the way something is displayed without changing the swf itself. What a person can do however is decompile the Flash swf to either reuse your code or find out other security issues (like say server connectivity and such). There are apps like Trillix Flash Decompiler that does this pretty well, but the resulting code is very hard to work with. The good news is that you can obfuscate it using an app like SWFEncrypt that makes your code impossible to read after decompiling. Frankly, if someone can get 'value' out of decompiling your code, you aren't coding your application properly and there's a security issue in your system anyways.

3) Flash is actually very secure if you don't listen to idiots spewing anti-flash sentiments because they worship Steve Jobs. Adobe is on top of every major bug and make sure that the bug is public knowledge to help the users (which can't be said for many companies). There are browsers that sandbox Flash for extra security (Chrome and I think Firefox 4). Essentially, Flash bugs gets more attention because Flash is everywhere, but people forget that there are more terrifying bugs in OS X, Safari and Windows. Plus, most of the bugs mentioned as of late are related to embedded Flash movies in Excel/Word documents. My suggestion is that you don't open sketchy documents from people you don't know...

3
votes

The question really boils down to whether you're going to allow untrusted content to be loaded by your swf. There are plenty of XSS attacks staged right now via barely-trusted content, and the attack vector there is Javascript (or "HTML5" if you prefer). Additionaly, with the ever increasing amount of access that HTML5 will allow to the user's system and data, that can only mean an increased attack surface for people with bad intentions. But again, this is mostly based on whether you allow 3rd party code to execute on your page...

If you're not allowing 3rd party code into your application, then unless a hacker breaks into your system and replaces your swf with one of their own creation, these questions really don't have much meaning, and if a hacker did do this, then it really doesn't matter whether it's flash, silverlight, or JS, you and your users will be toast no matter what.