Integrating Outdated Flash is a Bad Idea, Even Worse Running It Without a Sandbox

Shining the Light on the Security of Customized Browsers Used in China

When I traveled in China last time, I was quite surprised that the landscape of the software installed on Chinese PCs is quite different than what people have in the west, it looks like a different world. Usually, you will find a "central" tool that manages all the things for users, such as installing additional applications, installing security updates for the OS and applications. IMO all the things on the computer are "customized", a typical example is the browsers. People don't use the original Internet Explorer or Google Chrome, instead, they use the customized IE or Chrome, which is basically the IE/Chrome core plus a customized UI and additional features.

Here and here are 2 studies on the statistics about the customized browsers used in China.

As we know, building a secure browser is not an easy work, in fact, it's probably one of the most tough work in the security world (if you don't agree, try to find how many vulnerabilities have been patched in IE and Chrome). Thus, I was interested in how they can handle the security in their customized browsers. Some days ago, I decided to download the browsers and take a look, not surprised, a serious problem was identified in just few minutes.

The example I used is the Qihoo 360 Secure Browser, I found it's integrating a quite old Flash Player (specifically, the version is 11.6.602.180, about 2 years old). Even worse, the Flash plugin is running outside of a Sandbox. Following figure will show you the details.

What does this mean? Well, the most obvious scenario is that bad guys can use (any) previous (within 2 years) Flash exploits to attack the browser and gain the same privilege as the current user. You may have heard that Flash is really bad on security, you get it right. There are quite a lot of Flash working exploits out there for use to attack an outdated Flash Player.

I've made a video here demonstrating that an old Flash exploit (CVE-2015-0311) can still work perfectly on the latest (prior to my report) browser.

I have almost no words to say how bad it is. Think about it, hundreds of millions* are under the risk, while the attackers don't even need a zero-day to perform the attack - they can simply use a previous Flash exploit to take control of hundreds of millions of computers.

I've identified this problem on the Qihoo 360 Secure Browser as well as the Baidu Browser. I reported my finding to their product security teams immediately after my finding considering the seriousness of this issue, they took the issue very quickly and have already mitigated the issue within few days. For 360 Secure Browser, users are recommended to update their browser to 7.1.1.580.

Please note that this post is released with the pure purpose** of raising the awareness of this security problem in Chinese customized browsers. The theory is simple: if I could have found this security problem in minutes, it's highly likely that this problem has been well known by bad guys already. Moreover, the author hopes to inspire more whitehats to join the party to help secure all the Chinese software, most of these software are used by hundreds of millions but (unfortunately) their security are still at a pretty low level comparing to the software from international giants (e.g. Google, Microsoft). The author believes that Chinese computer users deserve the same security as others around the globe.

[Update on October 1, 2015]
As of October 1, 2015, The 360 Secure Browser is still running outdated Flash (specifically, 18.0.0.209) out of the Sandbox, see following figure. Basically it means that an old exploit (e.g. this one http://malware.dontneedcoffee.com/2015/08/cve-2015-flash-player-up-to-1800209-and.html) can be used to pwn any PC running the 360 Secure Browser easily. They seem to have fixed this (up-to-date Flash, running in the Sandbox) after I reported in April, but now rolled back, pretty bad idea from security point of view.



[Update on October 8, 2015]
After the Oct-1st update, researcher "mj0011" of Qihoo 360, has reached me about the Oct-1st finding on behalf of the vendor. They claimed that:

The browser could load 2 types of Flash runtimes when handling Flash contents: it will first detect if the computer's hardware supports WebGL, if it does, the browser will load the "pepperflash" - a Chrome-supported Flash runtime running inside the Chrome Sandbox. As the pepperflash runs inside a Sandbox, even the version is a little outdated, the impact of an exploitation could be mitigated.

On the other side, if the computer's hardware does not support WebGL, it then loads the NPAPI Flash, which runs outside a Sandbox. Unfortunately, due to compatibility issues of the newest Flash Players, they had to integrate the outdated Flash version. This is the situation I saw in the Oct-1st update.

While the outdated NPAPI Flash does introduce a immediate security risk, since most of the computers support WebGL - the pepperflash will be loaded instead of the NPAPI Flash, the overall security impact of the Oct-1st finding is limited.

Thanks,
Haifei

* According to http://se.360.cn, the 360 Secure Browser has a 400-million user base.
** Future explanations of this post, such as trying to embarrass any vendor, are not welcomed.