You are here: Home Contents V13 N2 V13N2_Sridhar.html
Personal tools

Flash in the Dark: Illuminating the Landscape of ActionScript Web Security Trends and Threats



Full text

Journal of Information System Security
Volume 13, Number 2 (2017)
Pages 5995
ISSN 1551-0123
Meera Sridhar — University of North Carolina, Charlotte, USA
Mounica Chirva
Benjamin Ferrell — The University of Texas, Dallas, USA
Kevin W. Hamlen — The University of Texas, Dallas, USA
Dhiraj Karamchandani — The University of Texas, Dallas, USA
Information Institute Publishing, Washington DC, USA




As one of the foremost scripting languages of the World Wide Web, Adobe's ActionScript Flash platform now powers multimedia features for a significant percentage of all web sites. However, its popularity and complexity have also made it an attractive vehicle for myriad malware attacks over the past six years. Despite the perniciousness and severity of these threats, ActionScript has been significantly less studied in the scholarly security literature than the other major web scripting language - JavaScript. To fill this void and stimulate future research, this paper presents a systematic study of Flash security threats and trends, including a finer-grained taxonomy of Flash software vulnerability classes, a detailed investigation of over 700 Common Vulnerability and Exposure (CVE) articles reported between 2008–2016, and an examination of the fundamental research challenges that distinguish Flash security from other web technologies. The results of these analyses provide researchers, web developers, and security analysts a better sense of this important attack space, and identify the need for stronger security practices and defenses for protecting users of these technologies.




Workplace Common Vulnerabilities and Enumeration, Adobe Flash, ActionScript, Virtual Machine




Acar, G. E. (2014). The web never forgets: Persistent tracking mechanisms in the wild, 21st ACM Conf. Computer and Communications Security (CCS), (pp. 674 - 689).

Acar, G. J. (2013). FPDetective: Dusting the web for fingerprinters. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 1129-1140).

Adobe. (2016). Adobe security bulletin: Security updates available for Adobe Flash Player. Retrieved from

Adobe Systems. (2016). ActionScript technology center. Retrieved from

Adobe Systems. (2007). ActionScript Virtual Machine 2 Overview. Retrieved from

Adobe Systems. (2016 b). Adobe Flash runtimes statistics. Retrieved from

Adobe Systems. (2012). SWF File Format Specification, Version 19. Retrieved from

Alcorn, W. (2011). BeEF: The browser exploitation framework project. Retrieved from

Amit, Y. (2010). Cross-site scripting through Flash in Gmail based services. IBM Application Security Insider. Retrieved from

Anthony, S. (2011). Security firm RSA attacked using Excel-Flash one-two sucker punch. Retrieved from Huffpost Tech:

Baker, Y. S. (2013). Analyzing security threats as reported by the United States Computer Emergency Readiness Team (US-CERT). 11th IEEE Intelligence and Security Informatics Conf. (ISI), (pp. 10-12).

Bau, J. B. (2010). State of the art: Automated black-box web application vulnerability testing. 31st IEEE Sym. Security & Privacy (S&P), (pp. 332-345).

Blazakis, D. (2010). BHDC2010 - JITSpray demo #1. Presented at BlackHat Technical Conf. USA. Retrieved from

Blazakis, D. (2010). Interpreter exploitation, In Proc. 4th USENIX Conf. Offensive Technologies (WOOT).

Chatterji, S. (2008). Flash security and advanced CSRF. Presented at the OWASP Delhi Chapter Meet.

Chen, S. W. (2010). Side-channel leaks in web applications: A reality today, a challenge tomorrow. 31st IEEE Sym. Security & Privacy (S&P), (pp. 191-206).

Cisco. (2015). Cisco annual security report.

Clark, J. (2011). RSA hack targeted Flash vulnerability. Retrieved from ZDNet:

Constantin, L. (2012). Iranian nuclear program used as lure in Flash-based targeted attacks. CSO. Retrieved from

Davydov, V. I. (2015). How exploit packs are concealed in a Flash object.SecureList. Retrieved from

Dowd, M. (2008). Application-specific attacks: Leveraging the ActionScript virtual machine. Technical report, IBM. Retrieved from

Dowd, M. S. (2009). Attacking interoperability. Retrieved from

Elrom, E. (2010). Top security threats to Flash/Flex applications and how to avoid them. Retrieved from

Ford, S. C. (2009). Analyzing and detecting malicious Flash advertisements. 25th Annual Computer Security Applications Conf. (ACSAC), (pp. 363-372).

F-Secure. (2012). Backdoor:W32/PoisonIvy. Retrieved from,%20F-Secure

Fukami. (2007). Testing and exploiting. Presented at Chaos Communication Camp. Retrieved from

Garnaeva, M. v. (2015). Kaspersky security bulletin 2015: Overall statistics for 2015. . Retrieved from Technical report, Kaspersky Labs:

Guya. (2008). Encapsulating CSRF attacks inside massively distributed Flash movies - real world example. Retrieved from

Hay, R. (2009). Exploitation of CVE-2009-1869. Retrieved from

Hayak, B. a. (2014). Deep analysis of CVE-2014-0502 - a double free story. Retrieved from

Heiderich, M. F. (2011). Crouching tiger - hidden payload: Security risks of scalable vectors graphics. In Proc. 18th ACM Conf. Computer and Communications Security (CCS), (pp. 239-250).

Howard, F. (2012). Exploring the blackhole exploit kit. Technical report, Sophos. Retrieved from

Huang, L.-S. M. (2012). Clickjacking: Attacks and defenses. 21st USENIX Security Sym., (pp. 413-428).

Hypponen, M. (2011). How we found the file that was used to hack RSA. Retrieved from

Invernizzi, L. a. (2012). EvilSeed: A guided approach to finding malicious web pages. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 428-442).

Jackson, C. B. (2009). Protecting browsers from DNS rebinding attacks. ACM Trans. Web (TWEB), 3(1).

Jang, D. V. (2011). Analyzing the cross-domain policies of Flash applications. 5th Work. Web 2.0 Security and Privacy (W2SP).

Johns, M. a. (2011). Biting the hand that serves you: A closer look at client-side Flash proxies for cross-domain requests. Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), (pp. 85-103).

Johns, M. L. (2013). Eradicating DNS rebinding with the extended same-origin poli. 22nd USENIX Security Sym., (pp. 621-636).

Jung, W. K. (2015). Poster: Deep learning for zero-day Flash malware detection. Retrieved from 36th IEEE Sym. Security & Privacy (S&P):

Kalra, G. S. (2013). Exploiting insecure crossdomain.xml to bypass same origin policy (ActionScript PoC). Retrieved from

Karamchandani, D. V. (2013). Surveying the landscape of ActionScript security trends and threats. Master's thesis, The University of Texas at Dallas, Richardson. Texas.

Keizer, G. (2011). RSA hackers exploited Flash zero-day bug. Computer World. Retrieved from

Kogan, I. (2005). Flare: ActionScript decompiler. Retrieved from

Kogan, I. (2007). Flasm: Command line assembler/disassembler of ActionScript bytecode. Retrieved from

Kolbitsch, C. L. (2012). ROZZLEL: De-cloaking internet malware. In Proc. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 443-457).

Kovac, P. (2011). Breaking through Flash obfuscation. Avast! Blog. Retrieved from

Kovac, P. (2011). Flash malware that could fit a Twitter message. Avast! Blog. Retrieved from

Kranch, M. a. (2015). Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Lance, B. (2009). Connecting JavaScript and Flash. Presented at Flash Camp Philadelphia. Retrieved from

Lekies, S. S. (2015). The unexpected dangers of dynamic JavaScript. 24th USENIX Security Sym., (pp. 723-735).

Levchenko, K. P. (2011). Click trajectories: End-to-end analysis of the spam value chain. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 431-446).

Li, Z. Z. (2012). Knowing your enemy: Understanding and detecting malicious web advertising. 19th ACM Conf. Computer and Communications Security (CCS), (pp. 674-686).

Magazinius, J. R. (2013). Polyglots: Crossing origins by crossing formats. In Proc. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 753-764).

Mayer, J. R. (2012). Third-party web tracking: Policy and technology. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 413-427).

Mcafee Labs. (2015). McAfee Labs threats report. Retrieved from Technical report, Intel Security.:

Mills, E. (2011). Attack on RSA used zero-day Flash exploit in Excel. . Retrieved from CNET:

Mitre Corporation. (2016). Common vulnerabilities and exposures. Retrieved from

Nambiar, S. N. (2009). Flash phishing. Symantec Security Blog. Retrieved from

Naraine, R. (2011). Did Adobe hide 400 vulnerability fixes in latest Flash player patch? ZDNet. Retrieved from

National Institute of Standards and Technology. (2016). CWE - common weakness enumeration. Retrieved from

Nelms, T. P. (2015). WebWitness: Investigating, categorizing and mitigating malware download paths. 24th USENIX Security Sym., (pp. 1025-1040).

Nikiforakis, N. K. (2013). Cookieless Monster: Exploring the ecosystem of web-based device fingerprinting. 34th IEEE Sym. Security & Privacy (S & P), (pp. 541-555).

Overveldt, T. V. (2012). FlashDetect: ActionScript 3 malware detection. 15th Int. Sym. Recent Advances in Intrusion Detection (RAID), (pp. 274-293).

Pan, X. C. (2015). I do not know what you visited last summer: Protecting users from third-party web tracking with TrackingFree browser. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Paola, S. D. (2007). Testing Flash applications. Presented at the 6th OWASP AppSec Conf.

Parkour, M. (2012). CVE-2012-0779 World Uyghur Congress Invitation.doc. Contagio. Retrieved from

Paul, R. (2010). Mozilla borrows from WebKit to build fast new JS engine. Ars Technica.

Petkov, P. D. (2008). Hacking the interwebs. . Retrieved from GnuCitizen:

Pfaff, D. H. (2015). Learning how to prevent return-oriented programming efficiently. (pp. 68-85). 7th Int. Sym. Engineering Secure Software and Systems (ESSoS).

Phung, P. H. (2015). Between worlds: Securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans. Dependable and Secure Computing (TDSC), 12(4):443-457.

Poole, N. (2012). XSS and CSRF via SWF applets (SWFUpload, Plupload). Retrieved from

Rad, M. B. (2013). Flash based XSS in Yahoo Mail. Retrieved from

Seltzer, L. (2010). New JIT spray penetrates best Windows defenses. PC Magazine. Retrieved from

Serna, F. J. (2013). Flash JIT - spraying info leak gadgets. Retrieved from

Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). 14th ACM Conf. Computer and Communications Security (CCS), (pp. 552-561).

Siek, J. a. (2007). Gradual typing for object. In Proc. 21st European Conf. Object-Oriented Programming (ECOOP), 2-27.

Siek, J. and Taha, W. (2007). Gradual typing for objects. 21st European Conf. Object-Oriented Programming (ECOOP), (pp. 2-27).

sinn3r and Vazquez, J. (2012). Adobe Flash player object type confusion. Rapid7. Retrieved from

Song, C. Z. (2015). Exploiting and protecting dynamic code generation. 22nd Annual Network & Distributed System Security Sym. (NDSS).

Sophos. (2013). Security threat report 2013: New platforms and changing threats.

Striegel, J. (2007). DNS rebinding: How an attacker can use your web browser to bypass a firewall. Retrieved from Make Magazine:

Symantec Corporation. (2015). Internet security threat report (ISTR), Volume 20.

Symantec Security Response. (2012). Targeted attacks using confusion (CVE-2012-0779). Retrieved from

Tenable Network Security. (2016). Adobe Flash Player <= multiple vulnerabilities (APSB15-32). Retrieved from

Thomas, K. B. (2015). Ad injection at scale: Assessing deceptive advertisement modifications. 20th ACM Conf. Computer and Communications Security (CCS), (pp. 151-167).

Thomas, K. G. (2011). Design and evaluation of a real-time URL Spam filtering service. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 447-462).

Trend Micro Forward-Looking Threat Research Team. (2012). Luckycat redux: Inside an APT campaign with multiple targets in India and Japan. Retrieved from Trend Micro Research Paper.:

Uhley, P. (2015). Community collaboration enhances Flas. Retrieved from

van Kesteren, A. (2014). Cross-origin resource sharing. W3C Recommendation. Retrieved from

Verisign. (2012). Adobe Flash Player TrueType font parsing integer overflow vulnerability. Retrieved from

W3Techs. (2016). Usage of Flash for websites. Retrieved from

Wang, R. C. (2012). Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. 33rd IEEE Sym. Security & Privacy (S&P), (pp. 365-379).

Weinberg, Z. C. (2011). I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. 32nd IEEE Sym. Security & Privacy (S&P), (pp. 147-161).

Wolf, J. (2009). Heap spraying with ActionScript: Why turning off JavaScript won't help this time. Retrieved from FireEye Malware Intelligence Lab:

Wressnegger, C. Y. (2015). Analyzing and detecting Flash-based malware using lightweight multi-path exploration. Technical Report IFI-TB-2015-05, Institute of Computer Science,University of Gottingen.

Zalewski, M. (2011). Same-origin policy, In Browser Security Handbook, Part 2. Retrieved from Google:

Zetter. (2015). Hacking team shows the world how not to stockpile exploits. Retrieved from Wired: