Adobe Flash Sandbox Cracked, Takes It Back To Square One
By on January 15th, 2011

On Tuesday, a security researcher Billy Rios demonstrated a proof-of-concept attack depicting the vulnerability in Adobe flash sandbox. The sandboxing system used by Adobe flash has a simple hack that allows it to communicate to a remote host.

flash-logo

Adobe had done a good job in sandboxing technologies like Flash and Reader as they were the most vulnerable contents on the Internet. However, now it seems that this sandboxing can be broken without writing a single line of code. Ross has proved this by simply changing Windows settings, which was enough for cracking the sandbox on Adobe Flash. However, the Google Chromes sandbox for Adobe Flash is safe from this attack.

This has been reported at Information Week as:

In particular, Rios tapped the mhtml protocol handler that’s built into Windows 7 and which will launch with no warning to the user. With mhtml, “it’s easy to bypass the Flash sandbox,” he said, and transmits data to a remote server without a user ever knowing that the exploit occurred.

Anup Ghosh, the founder and chief scientist of Invincea, a company that deals with sandboxing technologies had this to say:

This is a flaw in design, it’s not a flaw in implementation or coding.

From what is being reported everywhere, this hack can be prevented by blocking the mhtml protocol. Adobe is yet to comment on this vulnerability.

(Image via: Webmonkey)

Tags: ,
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN