If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.
At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presented
a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe’s Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.
However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim’s computer in such a way that the computer’s web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker’s server via RTMP streaming.
While attackers need their potential victims to co-operate and accept a forged certificate in order to hack the SSL connection, an error when accessing one of Adobe’s Macromedia pages is unlikely to cause much suspicion.
A solution to the problem, is to add the following “AVHardwareDisable = 1” option to the mms.cfg file. mms.cfg is a Flash config file, and it cannot be overwritten using Flash player settings manager. The file resides in the below locations for Flash 8 or later:
- Windows NT, 2K– C:\WINNT\System32\Macromed\Flash
- Windows XP, Vista –C:\WINDOWS\System32\Macromed\Flash
- Windows 95, 98, or ME–C:\Windows\System\Macromed\Flash
- Macintosh–\Application Support\Macromedia
Using Flash versions older than 8, you seriously need to upgrade.
Edit the mms.cfg file and add the directive as shown below:
Setting “AVHardwareDisable =1” will ensure that the flash player does not have access to the systems audio video hardware.
