4

As flash is a real security mess I started blacklisting flash at our proxy by blocking any content with the mime type application/x-shockwave-flash which works pretty well as far as I can tell. The proxy does SSL interception so it covers both http and https and I don't allow any other protocol to get out so loading flash from a ftp server for example isn't possible too.

But I'm asking myself if this is enough because a malicious webserver could simply fake a mime type and then send flash to the browser anyway? Would this work or is flash bound to some limitations to prevent such behavior?

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
davidb
  • 4,285
  • 3
  • 19
  • 31
  • 1
    It would be better to disable flash on Desktops. This way you'd get better fallback to HTML5 video. This could be done with a little bit of scripting. It would not be really very easy, but there are benefits undoubtedly. – Aria Jul 18 '16 at 21:46
  • 1
    Also .NET would be good option. Just drop the exe to keep that flash disabled. For example, Google Chrome preferences are in text file. You can also deploy bundle to Domain Computers where's no flash (Chrome and Firefox). I know it sounds weird, but it would give enough flexibility (e.g. one can still enable between reboots if really needed). – Aria Jul 18 '16 at 22:03

1 Answers1

0

Filtering flash on MIME type is a security enhancer, but not one without holes.

With an SSL-privy proxy, you can ensure against a man in the middle attack, but (as you suspected) not against Flash documents served from legitimate servers with illegitimate MIME types in their headers.

I wouldn't want to trust that video/x-flv, image/vnd.rn-realflash, and application/x-shockwave-flash are the only MIME types that invoke Flash on all HTTP clients.

If you have control of all the clients on the network, the comment about disabling flash might work, which may be difficult if you have users that depend on a variety of operating systems and browsers to do their jobs.

One possible solution is to set up the proxy (if regular expressions are available) to block any MIME type matching /(flash|shock|flv), which will be more secure and somewhat unlikely to block MIME types you want to permit.

Douglas Daseeco
  • 614
  • 3
  • 17