flash player security
TRANSCRIPT
Flash Player Security
The core of the Platform is the Flash Player
• +12 years working with the Flash Platform(Flash, Flex, AIR, ActionScript, Flash servers and more)
• Information Security Consultant focused onweb security, wireless communications, cryptography.
• Co-founder of the AATC Activ
Alberto González
Adobe Flash Player
• A cross-platform browser-based application runtime that provides viewing of expressive applications, content and videos across browsers and operating systems.
Flash Player settings
Flash Player settings
Virus invulnerability ?
Flashback!
Flashback
• September 2011
• Trojan
• Send data like passwords, credit card numbers, etc. to malicious servers
• A botnet member
• New variant in 2012 (Java)
– Window asking for an administrative password
– Window asking you to accept a certificate from Apple
Prevention
• Install all software directly from the vendor website
– Download and install Flash Player from Adobe.com
• Install the Java update with the Software Update in MAC OS
• Check for infections at http://www.flashbackcheck.com/
Java update for MAC OS
Protect your MAC
• Use an antivirus
• Use an account without administrative privileges
• Use strong and complex passwords
• Use a web browser with sandbox to isolate external processes ( Chrome, Firefox )
• Update Java, Flash Player and Adobe Reader
• Disable connections when not in use (Airport, Bluetooth)
• Encrypt the hard drive (FileVault)
FlashPlayer behaviour in browsers
Temp
Protected mode, privacy mode and sandboxes
• Flash Player runs in protected mode
– Low-privilege processes
• Flash Player runs within a sandbox
– Limits OS permissions of Flash Player
• Flash Player runs within the browser’s sandbox
– Limited permissions on the device
Protected mode, privacy modeand sandboxes
• Flash Player supports private browsing and storage deletion options
• Security by default for webcam and microphone use
Flash Player background updater
Demo
Audio Security
More security features in Flash Player
• Support for SSL Socket connections
– SSL >= 3.0
– TLS >= 1.0
– flash.net.SecureSocket
• Secure Random Number generator
– flash.crypto.generateRandomBytes()
Questions ?
@albertx
http://albertx.mx/blog