Skip to main content
A
Anonymous
February 22, 2010
Answered

how to avoid forced downloads via Flash in webmail?

  • February 22, 2010
  • 2 replies
  • 2915 views

I now receive a lot of spams formated in HTML and referencing a malicious Flash object, supposed to display a video that does not run, but still that activates an immediate download of a malicious .EXE file (a worm) downloaded from the same site as the video.

Why does just a preview of the HTML message in my webmail not only shows the malicious video component to render it in the stop state (I don't click anywhere in the message), but that also immediately activates its internal javascript that immediately starts a download and opens a new browser window?

I did not find any solution for this problem; as it now forbids me just previewing messages before deleting them, I will soon have to DROP FLASH completely.

Downloading a file should not be authorized by default in Flash, without a user action initiating it, notably when the component comes from another domain than the zone of the displayed HTML message (which is anyway in the same zone for potentially dangerous sites).

I've setup Flash to use the maximum security settings, this does not work. Those pesky spams will kill Flsh compeltely for me.

Please Adobe find a solution, where I can forbid any flash component loaded from an unsecured zone to use a download to local disk, and the only interaction possible is ONLY to load the SWF and initiate it in a non active state where it will just display the first static image of the video and no script will be activated befire an explicit user action.

For Flash, the only user action that launches the download is a simple mousehover. This is really not enough, because the SWF covers the whole surface of the webmail (whose title is for now "holaaaa!", and displays a Flash video component showing a hispanic woman laughing).

I've not been able to record a safe copy of this spam without activating it partly. This SWF absolutely wants to force the download of "FlashPlayer10.0.45.2.exe" which is NOT the original from Adobe and is infected, it also tries to download other files, but as I block the first one, the remaining files won't appear.

I really think that this is a huge security hole in Flash, which is already exploited, now massively via spams (I receive copies of these spams referencing this worm-SWF about 5 or 6 times a day, and this number is growing, the content shows some text in Spanish, but this does not matter).

The HTML content of the spams just contains this malicious Flash:
<embed height="360" type="application/x-shockwave-flash" width="634" src="http://www.users.qwest.net/~benpeg72/Secure/wanadoo.swf">
(various URLs are used for the same Flash object, from all around the world on lots of domains and in lots of user web spaces or blogs allowing Flash videos, this one may already be blocked, when you'll read this message).

Please investigate.

    This topic has been closed for replies.
    Correct answer Tomasz77

    Hello verdy,

    thanks for posting also in my thread to alert me.

    Am I right to conclude you receive this Spam via your mail program? If yes, a possible security measure would be to deactivate showing the HTML content in the mail program (My mail program, Thunderbird, does it this way as default).

    If you want to bring this to Adobe's attention, I would advise to open a support case as well as I'm not sure if this forum is browsed by Adobe employees regularly.

    However, do not count too much on the alertness of the Adobe employee that answers your support case.

    Hope this helps,

    Thomas

    Message was edited by: Tomasz77 (erroneous ref. to Javascript deleted)

    2 replies

    A
    Anonymous
    February 24, 2010

    Update: this SWF vector is now detected by Avira as "SWF/Dldr.CM"

    A
    Anonymous
    February 24, 2010

    Hi Verdy, It has been a busy day(night also). I read your posts on the other thread and this one. Just wanted to let you

    know that I appreciate you taking the time and work in posting the information on this issue. Granted, much is beyond my understanding, but I understood enough to realize the risk involved.

    Until you posted I didn't really understand what Tomasz77 had happened to him. I wasn't aware of that at all.

    So, I just wanted to say thank you. I'm glad Avira got involved also. I'm sure in the next few days, we will hear more of

    this.

    Regards,

    eidnolb

    P
    pocketbikeMike
    Participant
    February 24, 2010

    Is this only happening in spam? I try to never open up any e-mails from people that look like spam or I don't recognize. Is it possible for these forced downloads to release a virus? That is why I am always afraid of after my last computer got fried by one.

    T
    Tomasz77Correct answer
    Inspiring
    February 22, 2010

    Hello verdy,

    thanks for posting also in my thread to alert me.

    Am I right to conclude you receive this Spam via your mail program? If yes, a possible security measure would be to deactivate showing the HTML content in the mail program (My mail program, Thunderbird, does it this way as default).

    If you want to bring this to Adobe's attention, I would advise to open a support case as well as I'm not sure if this forum is browsed by Adobe employees regularly.

    However, do not count too much on the alertness of the Adobe employee that answers your support case.

    Hope this helps,

    Thomas

    Message was edited by: Tomasz77 (erroneous ref. to Javascript deleted)

    A
    Anonymous
    February 22, 2010

    Yes I received it in a HTML mail just cointaining this <embed> element that will be redered by Flash.

    The problem is that Flash when it is loaded in an unsafe web zone (such as an email), will automatically enable the mousehover event.

    If you're reading your mails online on a webmail, even in the safest "preview" mode, it will still allow showing the first frame and the GUI of the video component, but also it will enable the mousehover event, which will be raised almost immediately as soon as you open the preview (the Flash component covers almost all the screen, there's a big chance that the mouse cursor will be within the area covered by the component when the preview gets open, so a mousehover event occurs immedaitely that activates the malicious Javascript in the SWF file.

    I absolutely don't know how Flash can be restricted more by detecting a cross-zone or cross-domain scripting security issue here: can the locally installed embedded plugin, loaded from an unsecure zone or from a webpage served by the webmail service, detect that the referenced SWF is in fact loaded from another unrelated domain, so that it should be rendered also as unsecure, with ALL user interactions disabled before there's an explicit CLICK ?

    A mousehover is not enough. In an unsafe environment, only an explicit click should be allowed (so "onmouseclick" could be enabled to activate the flash object, but "onmousehover" should not be honored.)

    What is worse id that the component can also immediately start an active download to local disk, which by default is the default download folder where you typically download your Flash player installers (so this SWF will attempt to overwrite the existing local copy of the original Adobe Flash Player installer. It will also attempt to download some other scripts that will force running this bad installer. It also immedateily opens a new browser window that will attempt to download and run other files in the local zone.

    I've never seen such use of Flash within emails before, that allowed it to run this way. I think this is a new securty hole, and a new exploit: someting is probably wrong in the Flash security settings (a door supposed to be closed can be opened by the Javascript within an external SWF file).

    I've reported all these spammy worms as spams to my webmail provider, but they still continue to reach my mailbox, at an increasing rate from all around the world. This suggests that the worm is very successful in its infection, and so there's really a security issue that is not covered anywhere.

    None of my antivirus and antispywares are detecting this worm (and none of my antispam filters are detecting it either): it is possibly using mutable code with encryption to hide the effects of its embedded malicious Flash-javascript.

    A
    Anonymous
    February 22, 2010

    Hi Verdy (Tomasz77 too) Thanks for the explanation of what is going on. I replied to your post to Tomasz77, but your additional information here is very helpful.

    I use Hotmail and can enter websites and email addresses into a "Safe List" and the Spam control that Hotmail provides is second to none in my opinon. I never receive spam and don't open any email that I don't know the sender, I immediately mark(check the box beside the email) as junk and this marks the sender as Unsafe and then I delete the email without ever opening it. Once I do that I never receive another email from that sender. This is how I handle emails from unknown websites or emails.

    The website www.cnet.com has an excellent forum. One is about Security and they post all of the risks daily. I have not had time to check what they are saying about what you describe, but I'm sure they are on top of it.

    Perhaps some of the Adobe Techs will see your post and reply.

    Thanks for explaining this in more detail.

    eidnolb

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices