With the discovery of the first Flash virus, the popular format joins the growing list of ways virus-writers can attack.
Flash's support of the ActionScipt language means there is a potential for more complex Flash viruses in the future.
Last week we saw a new member join this sad club, when anti-virus firm Sophos announced that they'd found the first virus that spreads through Macromedia's ubiquitous "Flash" multimedia format, which can be read by more than 97 percent of Web users.
This means we can add Flash movies to the growing list of ways virus-writers can attack our computers. The .SWF file is now a vector.
New vectors of infection are discovered all of the time. Ranging from the little known AutoCAD virus, to the even less known Acorn virus, there are all types of files that support virus propagation. In one case -- the Code Red worm -- a file isn't even required.
The Flash virus began its public life in a manner not too far different from other concept viruses. An antivirus researcher, this time at Sophos, received the sample anonymously in an email. It had the extension .SWF, and was presumably sent in by the virus author.
After initial research, Sophos assigned the name SWF/LFM-926, and dispatched samples to other researchers around the world. Since that time, there hasn't been a single real-world sighting of SWF/LFM-926 in the wild.
Is this a case of problem identified, problem solved?
Certainly researchers put on a good show of cooperation; a number of different people came together to provide a timely and accurate assessment of the threat. The verdict: Not a problem, this time.
But Flash's support of the "ActionScipt" language, by which the concept virus spreads, means there is a potential for more complex Flash viruses in the future
SWF/LFM-926 is meant only to be a proof of concept virus. It is only able to infect .SWF files under certain circumstances, when run under products that most people do not have installed. According to a Macromedia, you must have installed "a Macromedia stand-alone Flash Player or associated Projector executable to represent a risk." Further, "This player is not installed by any browser installation, and is only installed with the Macromedia Flash authoring product."
Or, as Sophos' Graham Cluley told me, "Because the virus doesn't manage to infect when you browse an affected website, your only chance of encountering it are likely to be if you are a webmaster who regularly downloads/exchanges SWF files with other Flash developers."
This is an inefficient vector and significantly reduces the number of potential victims. This alone reduces the threat to a level that should keep SWF/LFM-926 from ever becoming widespread.
Similar things can be said for the PDF line of viruses, as it can also be said for AutoCad viruses. There are a certain number of ingredients required for a virus to be successful on a widespread scale. One very important consideration is an efficient vector. SWF/LFM-926 just doesn't have what it takes. Geoffrey A. Moore would say this virus has no chance of crossing the chasm.
Antivirus software vendors weren't the only companies with a quick response. Macromedia recognized the negative potential this could have and immediately confronted the issue. In very clear and concise terms, Macromedia was immediately able to put to rest the fears of many. That is, "Am I vulnerable to this virus?" The answer for most people is a resounding, "no."
In an early statement from Macromedia, they seemed very committed to releasing a patch within the week. True to their word, a patch is currently available at the Macromedia web site. The patch is straightforward in its operation; it removes file type associations for the SWF file format. Given the severity of SWF/LFM-926, and how it functions, Macromedia's patch is sufficiently effective.
Macromedia has also committed to providing a fix in future versions of their product. This may not be an easy task when supporting an extensive scripting language such as ActionScript. To limit the functionality of the scripting language, or to remove it altogether, is not an option, as it would make the authoring product less useful.
Macromedia finds themselves in a club of many unwilling participants. The company must continue to make product security as important as product functionality. To that end, I wish them the best of luck.