Thursday, October 20, 2011

Flash version check is MITMable on Mac OS X

Adobe Flash on Mac OS X provides a mechanism for users to check the version of Flash on their system to make sure it is not out of date.  This can be done via the somewhat new "Flash Player" System Preference Pane, which has a "Check Now" button to trigger a version check.



When users click on the Check Now button, the URL loaded is an HTTP URL and thus man-in-the-middle attackable.  The current version of Flash Player's System Preference Pane loads http://www.adobe.com/go/flash-player-updates which redirects the user to https://www.adobe.com/software/flash/about/.

To make things worse, once you get to Adobe's SSLized site, users are provided an HTTPS URL to the Player Download Center that actually lands them back on a cleartext website, http://get.adobe.com/flashplayer/:


Since Adobe has a more secure download mechanism built into Flash already, surely instead of making the "Check Now" button put users at risk, they could simply trigger that code path.  Somehow this issue, as obvious as it is, and despite my best attempts at getting them to fix it, has still not been fixed in the latest version.  I believe Adobe has a responsibility to its users to do the right thing here.  It makes me want to ask someone at Adobe how something as basic as this does not fit into their secure development lifecycle.

No comments:

Post a Comment