On Tuesday, a security researcher Billy Rios demonstrated a proof-of-concept attack depicting the vulnerability in Adobe flash sandbox. The sandboxing system used by Adobe flash has a simple hack that allows it to communicate to a remote host.
Adobe had done a good job in sandboxing technologies like Flash and Reader as they were the most vulnerable contents on the Internet. However, now it seems that this sandboxing can be broken without writing a single line of code. Ross has proved this by simply changing Windows settings, which was enough for cracking the sandbox on Adobe Flash. However, the Google Chromes sandbox for Adobe Flash is safe from this attack.
This has been reported at Information Week as:
In particular, Rios tapped the mhtml protocol handler that’s built into Windows 7 and which will launch with no warning to the user. With mhtml, “it’s easy to bypass the Flash sandbox,” he said, and transmits data to a remote server without a user ever knowing that the exploit occurred.
Anup Ghosh, the founder and chief scientist of Invincea, a company that deals with sandboxing technologies had this to say:
This is a flaw in design, it’s not a flaw in implementation or coding.
From what is being reported everywhere, this hack can be prevented by blocking the mhtml protocol. Adobe is yet to comment on this vulnerability.
(Image via: Webmonkey)