Friday, July 11, 2014

Clearing up misconceptions about Rosetta Flash and some additional security notes

Our little discussion over Rosetta Flash, the exploit that should have you dragging the Flash plugin out to the dumpster and setting fire to it, has gotten picked up by several other blogs and news sites. Ordinarily this would be highly gratifying, but along the way there have been a few questions and a couple misconceptions, so let's elucidate.

Both Flashback and Rosetta Flash have something in common: they both attack the virtual machine which runs architecture-independent bytecode, in Java and Flash respectively. This is why the basic exploit works on Power Macs as well; we implement the same virtual machine so that the bytecode is machine-independent and doesn't have to be written for the actual CPU in use. In this kind of situation we're just bycatch. The exploit wasn't really targeted at us, but because we implement the same bytecode instruction set in the same way, we are vulnerable to the same problem. However, we don't get updates for Java or Flash anymore, so the exploit never gets patched.

This is the point at which the two issues diverge. Flashback exploited a weakness in the Java VM present in all versions, including PowerPC, allowing the program to escape its sandbox and do tasks it should not ordinarily be able to do. In Flashback's case, this was to download a regular binary program and execute it, allowing it to take control of the computer. If the authors of Flashback had thought of it and compiled that second binary as universal, it would have enabled them to take control of Power Macs as well. Even though the exploit is universal in the sense that it functions anywhere the vulnerable version of Java does, the payload it executed was not universal, so the attack failed -- but only for that reason. If a future attacker did build a PPC/x86 universal binary payload, they could still take advantage of the same flaw in the Java VM, and Power Macs would be able to execute the payload. Thus, Java is no longer safe to use on Power Macs running OS X.

Rosetta Flash proceeds differently. Flash applets are permitted to send cookie-bearing web requests to and from the domain that hosts it (which can contain, for example, login credentials and session information). This wouldn't help an attack much except when combined with a technology called JSONP, which is specifically designed to give scripts a way around the browser's built-in same-origin policy preventing documents and scripts on one origin from interacting with those on another. The details are pretty gnarly, but the basic notion is that JSONP facilitates an attacker controlling the output using a callback, and that output is a malicious SWF (the Flash applet format) encoded in ASCII that now can access the victim server with your credentials by combining Flash and JSONP's powers together. Now the attacker can do anything you can do, including post, read, send money ...

This attack is also, in a sense, universal, because it works on any vulnerable Flash implementation. However, it's not universal in the sense that a universal binary is universal, because it's not running a binary like Flashback does; the attack is accomplished with a single completely valid Flash applet that works on PowerPC and Intel. Furthermore, this exploit is fully weaponized: all an attacker needs to do is cut and paste the malicious SWF and put it up on a server with a crossdomain.xml allowing victim access. Since a lot of people update Flash slowly, this is a great opportunity for attackers. And we don't get updates at all!

The part that's particularly bad for us is even though the researcher who constructed Rosetta Flash also found a means for victim servers to combat it, the most productive way won't work on Flash 10.1 -- it needs 10.2. The callback can also be tainted so that the attacker can't meaningfully control it, but I consider that at best a temporary solution. Because the mitigations are inadequate and the attack will succeed against servers that do not guard against it, Flash is no longer safe to use on OS X Power Macs either.

However, people still want to use Flash on those really crappy sites that lock everything behind a Flash paywall, so people are still running Flash. Besides being a really bad idea, the fact is, it won't work forever anyhow: those sites are almost certainly the ones that will rely on DRM features in Flash that 10.1 will one day not implement. You need a better plan.

If you must run Flash, and if you do so you're making a big mistake, you really need to run it as separated from other things as possible and most importantly from the browser you use for logging into sites. If you run TenFourFox 24 or 31, as you should if you read this blog, then you are doing that already because 19+ won't run any plugins, including Flash. You could run it in another browser, but that browser itself needs to be up to date, and you should treat that browser as tainted and never use it for critical logins. Some folks have put it into a webapp with Fluid; this is not a terrible idea if you also install Tobias' Leopard WebKit so that at least a WebKit exploit won't ruin your day at the same time (if you're using 10.4, this is not an option). If you use MacTubes with Flash mode, you are essentially doing the same thing.

However, this won't protect you from the one day we get an exploit like Flashback's, and it won't protect you from future exploits. I practice what I preach. I have not used Flash since I banned it officially in TenFourFox 6 and completely in TenFourFox 19. I use MacTubes (in QuickTime mode, which has no known PowerPC exploits) and the QuickTime Enabler, and I won't use sites that demand I use a Flash-based player. If you install a user-agent switcher, you can pretend to be an iPad and many sites will give you an H.264 alternative the QTE will play.

You can also throw hardware at the problem. One very easy way is to get a Chromebook: these are cheap, they come available in ARM versions too for people like me who get hives buying x86 hardware, and ChromeOS has a built-in, constantly updated implementation of Flash. If you have Windows or OS X in a VM on your x86 Intel box, you could use that. You could even run it on a 10.6+ Intel Mac. But however you do it, you need to find an alternative. Flash isn't safe.

One other security note: Microsoft recently banned certificates impersonating major sites after the National Informatics Centre of India was compromised and used to generate malicious certs. This has been a chronic problem with SSL (previously, previously), but Firefox has never accepted the Indian NICCA root, and after this it almost certainly won't ever do so. We are therefore not vulnerable to this problem.

Finally, a shout-out to my friend Jon Schiefer, who completed his movie ALGORITHM and it had its first Hollywood screening last week. I was honoured to be consulted on the production and script; I'm surprised Jon still speaks to me after the amount of red ink I bled on early drafts. ALGORITHM will be free for streaming on July 13 only, so please visit the site on that date for more details and to see the film. Please support independent film and purchase a digital copy if you enjoyed it (DVDs and Blu-rays will hopefully be available in the very near future). This was made on a budget of $8,000 and everyone involved worked for a piece of the action. Let your support remind Hollywood that indie film drives America.


  1. followed your advice including disabling java and flash in Safari. Using just tenforty v 31 with mactubes and quick time enabler. work ine on you tube and hulu. what is chromebook though? is it a hardware firewall. where do I get it? I have a ibook g4 1..5 gig ram which I used deeper to speed up. now its faster than my intel mac mini!

  2. Thanks for the warning.
    So what shall I DO to get rid of Flash from my PowerMac G5?


Due to an increased frequency of spam, comments are now subject to moderation.