Radboud student discovers decade-old security flaw in Adobe Flash

Date of news: 9 March 2017

During a research project, Computing Science student Björn Ruytenberg has discovered a security flaw in Adobe Flash.

Commonly used in web browsers for video streaming, the program appears to be susceptible to an attack that allows illegitimately accessing local files and obtaining Windows user credentials.

Ruytenberg: "The issue resides in HTML and Office documents that incorporate Flash content. By design, a Flash application cannot concurrently access local files and connect to the Internet. However, a security vulnerability allows circumventing the former restriction. An attacker can leverage this vulnerability to access local files and obtain Windows user credentials, and upload both to a remote Internet server." (click here for a detailed report)

The vulnerability descends from Flash Player's security design. Consequently, it affects all current browsers, such as Chrome, Firefox and Internet Explorer. Additionally, recent versions of Microsoft Office are affected. The student has determined that the flaw has been part of Flash Player since version 9. This version has been released well over a decade ago.

Software company Adobe acknowledged the design flaw and issued a fix in September 2016. The fix turns out to be comprehensive: for every user, some of the Flash features will be disabled by default. "With Flash now prohibiting local file access in its entirety, browsing the web while having Flash enabled has become somewhat safer", the student added.

In an effort to motivate researchers to report security vulnerabilities, Adobe had launched a 'bug bounty' program on vulnerability platform HackerOne. However, Adobe terminated the program before fixing the flaw reported by the Computing Science student. Recently, after a long period of uncertainty, Adobe has decided to award the student a 3000 US Dollar bounty.

Björn Ruytenberg is a student in the TRU/e Master in Cyber Security program. This Master track is offered by Radboud University in association with Eindhoven University of Technology.