Friday, December 17th, 2010
I had the honor of presenting at RuxCon and BayThreat this year. Both were great conferences with great people. I’m always humbled when I learn of what others are doing in the security community and even more humbled when asked to present. I gave a presentation called Will It Blend. The title of the talk is based on a series of videos from Blendtec (I could watch these videos all day). The content of the talk however is about “blended threats”. During the talk I presented a set of bugs I discovered in various browser plug-ins. Independently, these bugs are pretty lame. However, if we chain the bugs together, we get something that’s actually pretty interesting. If you’re interested in taking a look at the slides, you can find them here (PPTPLEX format) or on the RuxCon/Baythreat websites. The vuln chaining is a little difficult to visualize by looking at the slides, so at the end of my talk I gave a live demo of the bugs being chained together. For those who were unable to attend my talk live, I’ve created a video to help understand how the exploit would be pulled off (http://www.youtube.com/watch?v=fMFVVNE8ytQ). It will help to go over the slides first, then watch the video.
Most of the relevant code is available in the slide deck (its really simple). There are around 5 different bugs in play here, involving a variety of vendors. All the vendors involved have been contacted. The oldest bug here is over a year old, the youngest is about five months old. Kudos to Adobe. Adobe X has changed its caching behavior, so this specific attack cannot be used against Adobe X users.
I’m not sure where the blame lies for fixing these issues. On one hand, if a single vendor addresses their portion of the attack, the entire chain of vulnerabilities is broken. On the other hand, if only one vendor addresses their issue, all we have to do is find some other software/plugin that buys us the same capability and its game on again.
I hope someone finds the presentation useful. Happy hunting.