Chenxi Wang

On Monday, March 23, 2009, HP’s Application Security Center announced the release of a free tool, SWFScan, designed to analyze security vulnerabilities in applications using Adobe Flash.

A few months earlier, IBM Rational announced the availability of their scanning/testing capability against Adobe Flash objects, which is a new addition to their AppScan 7.8 release on January 13, 2009.

For those who are not familiar with Adobe Flash, Flash is a multimedia platform that allows better processing of graphics, animation, special efforts, and bi-directional video streaming. Many websites that have rich interactive content or multimedia content use Flash as an underlying technology.

Before IBM and HP launched their Flash analysis tools, application scanners did not have the capability to process Flash objects. Given that many websites today use Flash, it is not surprising that we are starting to see the emergence of malicious Flash objects or Flash vulnerabilities being exploited for security breaches. Some embedded objects contain explicit exploits which, once downloaded, can turn your machine into a bot or otherwise wreak havoc on your PC.

An October 2008 study from the Opera developer community and found that 30-40% of all websites use Flash. Even this number seems a bit low to me; I can’t recall the last time I went to a site that didn’t use Flash. But then again, I’d imagine some geographies may be a bit slow in adopting technologies like this. Regardless, it’s without question that Flash is widely deployed and many expect to see Flash expanding its foothold in the Web development community.

HP and IBM took different approaches in analyzing Flash. HP’s SWFscan is a static analysis tool, meaning that the tool actually decomposes the scripts behind the Flash object (ActionScript), and statically analyzes what the script code does. IBM, on the other hand, utilizes a dynamic analysis approach — their analysis engine emulates the execution of the Flash object to discern its behavior and the existence of any vulnerabilities.

Which approach is better? Many in application security would agree that if you can do static analysis, you should do static analysis. Static analysis allows you to derive deeper knowledge of the code. Dynamic analysis is somewhat limited and has the problem of not knowing which is the right order of events to execute. However, in cases where Flash carries obfuscated code, it may be better to go with dynamic analysis.

The SWFScan tool is the first free tool of its kind in industry. This should help to spur interest within the Flash developers' community to more thoroughly test and develop secure Flash applications. Both SWFScan and IBM’s AppScan 7.8 support all versions of Flash.

Adobe also has resources on how to create secure Flash applications, available here.