how to avoid forced downloads via Flash in webmail?

Yes I received it in a HTML mail just cointaining this <embed> element that will be redered by Flash.

The problem is that Flash when it is loaded in an unsafe web zone (such as an email), will automatically enable the mousehover event.

If you're reading your mails online on a webmail, even in the safest "preview" mode, it will still allow showing the first frame and the GUI of the video component, but also it will enable the mousehover event, which will be raised almost immediately as soon as you open the preview (the Flash component covers almost all the screen, there's a big chance that the mouse cursor will be within the area covered by the component when the preview gets open, so a mousehover event occurs immedaitely that activates the malicious Javascript in the SWF file.

I absolutely don't know how Flash can be restricted more by detecting a cross-zone or cross-domain scripting security issue here: can the locally installed embedded plugin, loaded from an unsecure zone or from a webpage served by the webmail service, detect that the referenced SWF is in fact loaded from another unrelated domain, so that it should be rendered also as unsecure, with ALL user interactions disabled before there's an explicit CLICK ?

A mousehover is not enough. In an unsafe environment, only an explicit click should be allowed (so "onmouseclick" could be enabled to activate the flash object, but "onmousehover" should not be honored.)

What is worse id that the component can also immediately start an active download to local disk, which by default is the default download folder where you typically download your Flash player installers (so this SWF will attempt to overwrite the existing local copy of the original Adobe Flash Player installer. It will also attempt to download some other scripts that will force running this bad installer. It also immedateily opens a new browser window that will attempt to download and run other files in the local zone.

I've never seen such use of Flash within emails before, that allowed it to run this way. I think this is a new securty hole, and a new exploit: someting is probably wrong in the Flash security settings (a door supposed to be closed can be opened by the Javascript within an external SWF file).

I've reported all these spammy worms as spams to my webmail provider, but they still continue to reach my mailbox, at an increasing rate from all around the world. This suggests that the worm is very successful in its infection, and so there's really a security issue that is not covered anywhere.

None of my antivirus and antispywares are detecting this worm (and none of my antispam filters are detecting it either): it is possibly using mutable code with encryption to hide the effects of its embedded malicious Flash-javascript.

Hi Verdy (Tomasz77 too) Thanks for the explanation of what is going on. I replied to your post to Tomasz77, but your additional information here is very helpful.

I use Hotmail and can enter websites and email addresses into a "Safe List" and the Spam control that Hotmail provides is second to none in my opinon. I never receive spam and don't open any email that I don't know the sender, I immediately mark(check the box beside the email) as junk and this marks the sender as Unsafe and then I delete the email without ever opening it. Once I do that I never receive another email from that sender. This is how I handle emails from unknown websites or emails.

The website www.cnet.com has an excellent forum. One is about Security and they post all of the risks daily. I have not had time to check what they are saying about what you describe, but I'm sure they are on top of it.

Perhaps some of the Adobe Techs will see your post and reply.

Thanks for explaining this in more detail.

eidnolb

Hi Tomasz77, I just now read your message to me. Didn't see it come in. Thanks for your suggestions. I just keep my email open so it is no bother to me. I know others like the webmail. What hotmail has done is that unless I have listed the website or the sender as "Safe" then all other emails that I receive are treated this way when I open it: There is a yellow banner with a warning and this message: Attachments, pictures, and links in the message have been blocked for your safety. "Show Content"(my choice to click on to open what has been automatically blocked) Also beside the person or website(before I choose to "Show Content") is this message: "You may not know this sender" and then "Mark as safe" or Mark as Junk" I don't participate in all of the social activities, entering personal info, pictures, etc. Not on facebook either  The Contact list? Ha-Ha, maybe 2 and that was accidental.

I am very very selective on who I add in the Safe List. I treat this list as I do the "Trusted Sites" in Security in IE. Which is not many:-) The less the better, just as i do add ons. I am known to keep the ActiveX add ons disabled when not needed

and enable them when I do.

Glad you posted your problem and made us aware of what it going on with the fakes on FP.

Safe Computing to you

Regards,

eidnolb

Hi Verdy, It has been a busy day(night also). I read your posts on the other thread and this one. Just wanted to let you

know that I appreciate you taking the time and work in posting the information on this issue. Granted, much is beyond my understanding, but I understood enough to realize the risk involved.

Until you posted I didn't really understand what Tomasz77 had happened to him. I wasn't aware of that at all.

So, I just wanted to say thank you. I'm glad Avira got involved also. I'm sure in the next few days, we will hear more of

this.

Regards,

eidnolb

Yes, this SWF is a downloader, and it can use any kind of virus (it already does in addition to downloading a "new" FlashPlayer from unknown source).

The bad thing is that the SWF downloader can effectively bypass the FlashPlayer 10 security setting (no click required, a simple preview is enough, and the mouseover even is honored to launch the downloads before the antipopup (built in the browser) can even detect it.

One good antimeasure is to make sure that the browser will ALWAYS ask for the storage location of the newly downloaded files, so that you can cancel it. don't allow it to  proceed immediately using the default download folder of the browser (because we still have the "save as..." confirmation dialog).

But I fear that it will be possible for a SWF downloader to bypass even this "save as..." dialog by providing a working location (if it can get access to the name of the user's home folder, something that will be easier than guessing the randomized folder name used by the browser's cache, or by the FlashPlayer cache)

Note also that if UAC is disabled, and the user is using a administrator account, the SWF downloader could also try to download directly in C:\Windows or in C:\, but another accessible location is C:\Windows\Temp; for this reason, I have not named the windows folder C:\Windows, and I have created another C:\Windows folder with all permisions denied to everyone, including the "System" account: I can read from it but can't even delete it myself or write anythin there, except after booting in "safe mode" and logging in with a specific account using a key stored on a separate CDROM with various administration tools : even a live boot CD will not be able to write there).

Given that I've not allowed to download the fake Plash Player that the SWF wants to save, I absolutely don't know if its an original, or what it contains or which effects it can do (the descriptions for both files are still incomplete in the websites of the security centers I have contacted and that have built detections or counter-measures for their security tools).