Adobe Flash Security Scan
While Adobe Flash offers many exciting possibilities to web developers and users alike, it also introduces several additional security risks to computer systems. We already discussed the impact of so called Flash Cookies which are able to track a user across multiple web browsers supporting Flash even if the normal cookies are deleted regularly.
The HP Security Laboratory has created the application SWF Scan which can be used by both developers and end users to analyze Adobe Flash files for more than 60 vulnerabilities. Usage is pretty simple and straightforward although interpretation of the findings might require a deeper understanding of Adobe Flash, or extensive research on the Internet. The application works with both local Adobe Flash files and those embedded in websites.
Users will first have to find out the direct url to the embedded flash file on the website. All web browser provide those capabilities. Firefox users for instance right-click the page and select Page Info from the context menu to get a list of objects that are embedded in the website.
A click on the Media tab, and a manual search for files of the type embed should be enough to find the url of the Adobe Flash file. A right-click on the flash object will open a menu with the option to copy the url to the clipboard.
Once the url has been copied to the clipboard it can be pasted into the interface of the HP SWF Scan application. A click on the get button next to the url bar will initiate a connection attempt of the Adobe Flash security scanner. If the file is a valid Adobe Flash file SWF Scan tries to decompile it automatically. If that is successful, information on that, and the actual source of the Flash file, are shown int he program interface.
A proficient Flash programmer can now analyze the code on his own. Everyone else is better of clicking on the Analyze button in the header of the security program. This will analyze the decompiled source code and provide a summary to the user.
The summary contains a list of vulnerabilities that have been found in the Adobe Flash file. A listed vulnerability mean that the Flash file might be vulnerable to exploits. Flash developers can then rewrite part of their application to fix the discovered vulnerabilities. End users on the other hand may be delighted to know that an Adobe Flash file does not contain any of the known vulnerabilities, but won't be able to fix vulnerabilities discovered during the scan. The option to inform the developer of the Flash file may be available though to get this resolved.
SWF Scan is a free download after a mandatory registration at the HP website. It is currently only available for the Microsoft Windows operating system.
Update: SWF Scan is no longer available. The tool was integrated into HP Fortify WebInspect, an Enterprise software. A free trial version is available on this website.
