Is “swf” the new “wtf“? What’s happening with the Flash player? The Adobe’s multimedia platform has been targeted by multiple 0-days since the beginning of 2015! Just have a look on cvedetails.com. Two days ago, security researchers at TrendMicro found another one. It is identified as CVE-2015-0313.
Bored by the multiple patches released by Adobe and the impact on the deployment, many security people are brainstorming about a potential removal of the popular browser plugin from their computers (and their users’ computers). Is it a good idea? If more and more websites are offering alternative interfaces via HTML5 (like Youtube), there are again lot of websites which won’t work without Flash support. In my case, a good example is Deezer which uses .swf files for its players!
To protect ourselves, why not build a whitelist of trusted Flash files? Here is a quick setup via Squid, the open source proxy. Squid has very powerful features and amongst some of them, it offers a powerful ACL (“Access Control List“) system. Basic ACL’s can be used to filter domain names, IP addresses or ports but they are very interesting ACL types like:
- url_regex – which matches on full URLs
- urlpath_regex – which matches on URLs paths (without the protocol – http[s]:// – and hostname/IP)
Regular expressions can be used or flat files (1 element / line). Let’s define two new ACLs:
acl FlashBlacklist urlpath_regex -i \.swf acl FlashWhitelist urlpath_regex "/etc/squid3/allowed-swf.txt"
The first one will match the string (non case sensitive) “.swf” in the URL path and the second one will match any regex from the file “/etc/squid3/allowed-swf.txt“. The file looks like this:
/embedded/small-widget-v2.swf /swf/coreplayer3-v00341125.swf /swf/singlePlayer-v10.swf
This example matches the Flash files used by the Deezer player. The next step is to apply the ACL:
http_access allow FlashWhitelist http_access deny FlashBlacklist
Take care to insert them at the right place within your existing ACLs! Here is the result in the Squid log file:
# grep swf /var/log/squid3/access.log 1423084706.664 0 192.168.254.200 TCP_DENIED/403 3889 GET http://taggalaxy.de/taggalaxy_beta.swf - NONE/- text/html 1423084748.191 0 192.168.254.200 TCP_DENIED/403 3969 GET http://s0.2mdn.net/3070333/beco111_Day_Trip_Promo_Fr_300x250.swf - NONE/- text/html 1423084775.988 8 192.168.254.200 TCP_HIT/200 58684 GET http://cdn-files.deezer.com/swf/coreplayer3-v00341125.swf - NONE/- application/x-shockwave-flash
Note that Squid can also block traffic based on the MIME type of objects but the detected type is not always correct (see the 2nd line). Now, it’s up to you to catch the denied access with your preferred log management tool.
Working with whitelist is not the most efficient way to allow access to trusted files but it is the most secure. By default, any .swf file will be blocked. Last remark, this is just a quick countermeasure: it must not prevent you to patch your systems!