Slashdot Mirror
Buffer Overflow In All Shockwave Players
drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF
file"."
neither have i
I hope these "enhancements" die under their own weight of complexity.
1. They do not give me extra information. Moving crap and noise on my screen doesn't relay anythng meaningful to mean. A picture is worth a thousand words, but plain HTML does that fine.
2. As this article points out, they add greater security concerns, due to added complexity.
3. Sites that use them load slowly. What happened to plain, pure, elegant HTML?
As a rule I avoid sites that use these like the plague. For the web people out there - build your site on lots of GOOD information, a few meaningful pictures, and make it EASY TO NAVIGATE, complete with a search.
[Scenario 2]
The geek fires up Netscape, and watches as Netscape dumps core.
You won't need Flash to crash Netscape...
And to add insult to injury, there's no way to disable flash palyer in most browsers. If you have netscape, you can go to plugins directory and remove flash plugin from there, but for MSIE you would probably not even know where it is located, and it probably would insist on re-installing the plugin every time you come to page with flash. That's a really annoying situation.
-- Si hoc legere scis nimium eruditionis habes.
Welcoming someone to your website is gracious, there is nothing wrong with that.
~shine
Big pet peeve of mine: assuming YOU know how I want to see your site. You don't know my screen, my eyesite, anything. HTML was meant to be structural, presentation is defined by the browser. Especially when I do browsing with lynx, because I want information.
For all the Flash / Image users out there who don't have text on their pages, remember this: all the search engines only index text. If you insist on Flash, you just dropped all the potential customers who used a search engine.
This is known for a very long time, all Flash developers, I mean the guys who hack the swf format, knew this. It's pretty easy to make your Windoze machine crash even get a BSOD on NT.
Buffer overflows have not been exploited for the moment, needless to say what OS will be the big victim, the Linux users may worry though.
Developing Open source player is again the answer, check out this project and contribute! Even for Windows.
Anyway, Flash rocks.
The introduction screen, which is incredibly painful to read (scrolls real slow) contains the text:
"Please read the User Guide to learn how to navigate through the site"
No thanks. You have got to be kidding me. This definately does not "rock".
To some people, the look you can achieve is more important than avoiding layout tables and spacer gifs.
There are alternatives, of course, like absolute positioning, netscape's <spacer> tag, etc. But often these solutions are just as hokey and yet less supported by browsers.
-bp
bp
More importantly, the version of Tetris (Fake-ris) on this site blows. It destroys the symmetry of Tetris and it's ugly too. Like all poorly implemented Tetris clones, it fails to recognize the original beauty, or attempts to "improve" in some stupid way. Yes, I'm bitter about it.
At this point, I'm no longer worried about Netscape's problems for something as essential as CSS. The most common problem I have experienced with NS 4.x and CSS is that sometimes it will display the contents of external CSS files rather than using it to style the page -- that's with the type attribute being properly set.
It works most of the time and that's good enough. If users don't like it when they see the problem, they can get a better browser. I'm sorry. Netscape 4.x is pathetic and Mozilla/NS 6 is still striving to be as good as IE 4. As a web designer, I feel like my hands are tied. Do I live in 1995, or do Netscape users just have to put up with the quirks associated with CSS? I'm tired of living in the past... they can deal with it.
The fact is NS with CSS works most of the time and that is good enough. If someone disagrees then they can go download and use IE or shut up. If IE isn't available on your platform, then good luck with Mozilla or any of the alternative browsers available. NS just isn't the best anymore and apparently never will be. Maybe Netscape 6 will kick ass if Mozilla has *another* three years to work on it, but IE will probably be to 7 by that time(without skipping a version number!).
Netscape is like a bad ex-girldfriend. Used to love her. Now hate her guts. Can't get a restraining order against her.
...winding down. Netscape gets my blood pressure up. One time, on a business trip, I found myself in a similar rant with some co-workers at a restaurant and then thought, "wait a minute... I'm in Mountain View". Actually Palo Alto, but close enough.
I have a woman and money. Life is good.
The problem is that under a UNIXy system Like Linux, you _need_ to be able to write to your own memory. You as an application are not to be protected from yourself. At all. Removing this natural right of an application would make things like ld.so and the like impossible (they would have to be part of the kernel - shrugg!).
--The knowledge that you are an idiot, is what distinguishes you from one.
Hm, yes, you could perheaps restrict the code segment to a part of the linear memory, and have stack and data somewhere else. But, you would need to put some non-mapped pages in between, to be sure buffer-overruns don't just "grow" over it anyway. And a int a[2]; a[4711] = 2; might still jump on it anyway... But plain buffer-overruns (where all positions between the last real position and the last position really written are all written to), would be catched by a single separating, non-mapped, page. And what do we do with a program that we catch witha buffer-overrun? Terminate it? You still have the problem of the stack-segment being the same as the data-segment.
When I think about it, this won't work, since in Linux, all adresses within segments must be the same as linear adresses, and thus all segments must start at linear adress zero... Ok, if you put code first, you could make this work anyway.
--The knowledge that you are an idiot, is what distinguishes you from one.
> overflow that could be fixed with a library.
> Indeed, a language that did bounds checking on
> arrays (and completely didn't support pointers)
> could have avoided this problem, but I'm not sure
> that it would.
I read the article. I agree that it's not just stcpy onto a stack buffer... on the surface. But this IS just the kind of trivial error that basic programming techniques should avoid -- simply never trust input without validating it first. I agree that a "safe" language such as Java would protect from this, but "safe" libraries would help also!
-- Michael Chermside
That's right, make me feel guilty for my tone now, why don't you! ;^)
ActiveX controls and browser plugins can have uninstall programs. One that does is the free Alice 3D plugin. If I browse through my Add/Remove list right now, I see "Alice99 Plugin" listed. I notice their installer is a downloadable EXE, but I'm under the impression that an install program can also be packaged in a .CAB file for autodownload during a web page load, although I could be wrong.
I just find it obnoxious that Macromedia go to some lengths to install their product seamlessly, and have it update itself, but don't (or didn't) make it just as easy to uninstall.
That is why div tags and CSS exist. You don't need spacers. Read the CSS2 and HTML 4.01 spec.
Computer modeling for biotech drug manufacturing is HARD!
Wow.. ya mean I missed it all this time?
Silly me... and I thought all those pages looked
nice.
No.. tables look like crap under Lynx.. but then,
I never used it for that kinda stuff and nobody
was really doing web pages with that back then.
Friends don't let friends buy Compaq's. (Dell/Gateway... same same) You want a good computer? Build it yourself.
Good point. I was simply trying to validate the (ab)use of Click Here.
You answered your own question...
...
Why in all the gods' names should I bother learning your interface?
the intro screen scrolls pathetically slowly
Had you taken 10 seconds to read the 2 paragraph User's Guide, you would have learned that the scroll speed can be sped up simply by holding down your mouse button.
Keep in mind that this is art, and it's intended to be experimental and challenging. If you don't care for that then stick with what you're comfortable with, but don't pretend it's worthless because you don't like it.
The web is filled with unexperienced users, and guess what, they have as much right to use it as we (geeks, hackers and computer literade). And it is all right to have sites made for them. I just want to be able to see any site I visit without having security problems.
Flash is a very nice idea, too bad that is not "realy" open and it so badly implemented. SWF is much lighter then gifs, and very good to create animation files. This is realy serious security risk to have flash installed now, and at least for me this is bad news. :-/ Please wake up macromedia.
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabbit hole goes"
[]'s Victor Bogado da Silva Lins
^[:wq
Pssst... it's not 1992 anymore. The web isn't just about text documents. Some of us are here to shop, sell or even... to be entertained.
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
That's why you must use Links!
The argument with free software (I think this is what the author of this post is talking about--``open source'' is a very generic term) is not that it is immune to all security vulnerabilities, but that I can FIX your bugs if I want to, and make the patch available to everyone else (including, hopefully, the original author of the program.)
You cannot do this with proprietary software.
Yes, it was called the Morris Worm and it caused a lot of problems on 1988-11-03 using a buffer overrun in fingerd or a sendmail mis-configuration - whichever was vulnerable a system. Back in '93 I collected together some papers regarding it (Gene Spafford's is excellent) as well as source code that was reverse engineered. Take a look here if you're interested.
I have to say, that I think too many ('though not all) of those "wisdoms" are crap.
However, the main problem is, that you are of the opinion that design does matter very little and that's very, very wrong. OK, content is number one, but anyone stating that his page is optimized for lynx is IMO about as creative as a brick wall, the information is usually boring to read, with no formatting whatsoever. (Since, you're a UNIX Admin, you have probably read your beloved standard text @ 1600*1200px, a thing you might enjoy - I do not)
One might as well argue, that you can print the people magazine without images, this would save space, require less paper and in the end protect the enironment.
Using lynx for testing seems a brillant idea, I assume that alomst .05% of the internet community use it on a regular basis
One of my strongest arguments agianst flash has always been it's accesibility. Stick somone with a vision problemn in front of a flash file and what do you have? Someone who can't see your site.
And now with the increasing demand for handheld, cellphone, web-appliance access Flash is almost a pure hindrance. sure it can be keen to watch things fly around the screen, but how often do you visit your favorite flash site versus something like Slashdot? Content rules the web.
no.. you're hounding and annoying. I don't need you to teach me to speak english, I'm a native speaker -- the english language, by definition, is every utterance that comes out of my mouth. Now if I was a native french speaker, and I said something in english that you failed to comprehend then you would be "helping" me. I mean really, neither of us speak "the queen's english", so where exactly is it that you are getting this definition of what is "correct" english and what is not?
Finally, I find your remarks insulting and harassing. Please discontinue them.
How we know is more important than what we know.
get a fucking job moron.
How we know is more important than what we know.
grr.. thank you.. once again someone answers my question and gets score -1.
How we know is more important than what we know.
you assume that I want you to read my web site. Perhaps I don't want anyone to be able to read my website except people who are willing to download the flash plugin and are using IE. Perhaps I have come to this decision after looking at marketing stats and determining that comments posted on my web site by people who refuse to download the plugin or use IE are detrimental to my market. Or perhaps I don't really care if the minority of users not using IE can't read my web site. Hell, maybe the only reason people are comming to my web site is to see my kickass flash animations!
How we know is more important than what we know.
Just as how trolls exploit goatse.cx and such on here, the trolls on Newgrounds will most likely be submitting buffer-overflow Flash presentations in the Portal.
I'm not suggesting the average programmer go into cryptographic systems engineering, but that the reason why things like sendmail, which are not supposed to provide privileged access to *anyone*, are security problems is because of bad coding practices.
Buffer overflows in web/mail servers and the like shouldn't need to be watched by security auditors; The auditors should only really have to look at things like login, ssh, ftpd, nfs -- services that provide privileged access to authorized users.
--------
Genius dies of the same blow that destroys liberty.
It is a political problem, but it's more of a problem of impatient, undisciplined programmers who take no pride in their work, than of economics and bad upstairs management. Impatient programmers are why Microsoft code crashes a lot, and GNU/Linux is disorganized.
Remember: for each function, spend 70% of your time planning the code, only 10% of your time writing it, and 20% of your time making damn sure it's bulletproof. Implement every bloody check you can think of, then put in an #ifdef PARANOID for the stuff you think is really overkill. Do not refuse to write a check because "it's overkill". Do it anyway!
Also, be prepared to toss every line of the code you've just written, if it sucks. Get an outsider's opinion, preferrably an outsider who is nicknamed "The Code Nazi" :-). If there is no Code Nazi in your area, it is your duty to become the local Code Nazi.
If every programmer on a project follows the above advice, and is generally very patient and disciplined, then the product they produce will do what it does perfectly. The only imperfect thing will be a lack of features, because the planning team failed to put them into the requirements document.
People make mistakes, but those mistakes should never, ever get shipped.
P.S. Yes, I am a programmer, and I do the things I've said.
--------
Genius dies of the same blow that destroys liberty.
You seem to think that Netscape 4.x falling over under Linux is a rarity *hollow laughter*
The *only* product that I've seen more unstable than NS4.x is MS's Visual Studio.NET beta 1, which almost redefines instability. Beta? Try pre-alpha!
"Life is like a sewer - what you get out of it depends on what you put into it" - Tom Lehrer
"Yet another argument for open source software..."
[sarcasm]
Oh yes, and with things like OpenSource, root exploits don't go un-noticed for a couple of months and only get fixed when people start exploiting them
[/sarcasm]
I do like people like you. You're funny. I mean, if you are so sure OpenSource is more secure, then why was there the whole rush for everyone to upgrade their kernels to 2.2.16 after that root bug was discovered to have effected ALL previous kernels?
OpenSourcing adds no extra security, because most people will be thinking "someone else will be checking for security holes" and not bother doing it themselves, or when a hole is discovered, the channels for informing people of the bugs aren't clear, or people just won't bother upgrading, because everyknows knows OpenSource software is more secure...
- Damnit, I'm dead Jim
Methinks that most of your software you use day-by-day suffer by buffer overflow problems.
Me surprised ? Nahhh
Just another coder...
The average web'master' can't even write HTML nowadays, or that's what you'd think looking at websites owned by large corps. If they can't even put alt text in images, how can we expect them to author in keyboard navigation?
One professional developer once said to me something along the lines of "it's a GUI, you're supposed to use a mouse". Gee I hate developers without RSI...
Why do we need flash anyway? Am I going to be convinced to buy your product because you made me DL a few MB of flashing bright colors and animations?
---
Yeah, that or you could just uninstalled it via the normal control panel...
---
People, you're not even trying.t er nates/ lists an uninstaller for the Macromedia Shockwave Player.
http://www.macromedia.com/shockwave/download/al
The support for the Flash player links to http://www.shockwave.com/help/faq_swplayer.html which provides instructions to remove the Flash player.
--
=S
Flash is more (less) than noisy multimedia, and more (less) than 007-movie-intro-on-drugs animations. Macromedia's own site uses Flash for the navigation at the top of most pages on their site, and that doesn't do any animation except on rollover.
As well as being the only viable cross-platform cross-browser vector solution right now, if you want to use your own font and you don't want the overhead of lots of GIF's, Flash is the only cross-platform cross-browser font solution. AFAIK the 3.x browser approaches for embedded fonts in Web pages never standardized. Microsoft can ram a new font like Verdana or Trebuchet into the operating system, but other sites have to use Flash.
(I acknowledge the argument that sites can bloody well communicate whatever they have to say in serif, sans serif, and fixed, but designers would disagree.)
For another subtle, silent, non-animating use of Flash, check out webmonkey's front page.
--
=S
I wasn't aware that Macromedia didn't have installation instructions in the past. I'm sorry for my tone. But right now it's not that hard.
--
=S
If it doesn't work for you, let Macromedia know the details (contact link on their help page)
--
=S
"Of" means that from which anything proceeds; indicating origin, source, descent, and the like or it can also denote ownership.
It sounds like "have", if you say it fast enough, I think this is where your confusion stems from.
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Owie... just look at linux.co.uk for a site about linux using flash. Really is there any need for it?
--
Azrael - The Angel of Death
posted with: Mozilla (0.7)
A malicious web-site could also disguise the Flash as a banner ad and.... Hey what's that at the top of the page! Ugh.
Err, that's Real Networks - not the same company as Macromedia - or did I miss something?
Personally, I wouldn't "mod up" a post containing a link to a site that requires the Shockwave plug-in when I'm posting to a discussion about the lastest way of exploiting said plug-in. But that's just me.
Happy to use mozilla: www.shockwave.com for me
If there is hope, it lies in the trolls.
IANAE, but isn't there a kernel patch that gives you a non-executable, but read-write stack?
how is this any different?
a bit offtopic, but useful perhaps: Konqueror in CVS now has an option to disable window.open
now it's even more convenient to visit all those pr0n sites!
If you overflow the buffer while running a flash movie THE MACHINE RUNNING IT CRASHES. Hence making it tough to 'sploit.
One...how many Flash users...generally hybrid graphic artists/developers, graphic artists, or mutts like me are going to know how to exploit a buffer over-flow AND compromise the system while covering their butt(s)?
Two...How many people who know how to exploit a buffer overflow and compromise a system while covering their butt(s) can make a Flash piece that will be perty enough for anyone to check out on a large scale?
Three...I still think Macromedia should address it, cuz it points to obvious flaws and instability in the code. Anyone seen any statement/response from anyone at Macromedia about this? I once got a response from someone personally at Macromedia cuz I sent a message to someone whose wife (or wife's friend) worked there. It was about one of their support decisions (to drop support in a certain area). Wasn't even after a response...it got forwarded along til it came back to me.
Galego
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
==
Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?
==
The original shockwave player buffer overflow post was made into bugtraq a few days ago. Typically, once someone demonstrates a buffer overflow in such a widely used product, someone else will post a working exploit within 30-60 days. So the answer to your question is a resounding YES.
Jeff
I use lynx to read User Friendly all the time. It's annoying to have to scroll past the "menu" to pull up the cartoon, but it's still just as fast as waiting for all the extraneous graphics to load.)
My pet peeve: your typical site menu consists of a space-wasting bar of links down the left side. On graphical browsers, this cuts into the display space--I have to view the site full-screen on my 800x600 laptop, and often even that's too small--while on lynx this usually displays as either a frameset to wade through (sometimes on every page, and usually with an "upgrade your browser" message; I'm using the latest packaged version!) or a list of links to scroll past on every page.
Well.. I can understand this, If that's the format the users of the site want, then XLS/PDF/PS are perfectly acceptable. I do agree that 99% of the time doc files could/should be simple HTML pages (not word->html crap).
UPS Sucks
I find myself in ideology agreeing with you.
You basically state some common sense and a little bit of design guidelines from some of the real big names whose philosophy is to keep it simple and make the content usable.
In a perfect world you can get away with no design elements in your HTML, you can get away with no gifs to space elements out.
In an imperfect world.... There is internet explorer and netscape.
But one day it occured to me how irrelevant Linux is to most people.
When we are spec'ing sites out and we want some cool functionality enhancing feature... and I say but.... it will take me an extra day to get this cross-browser and working on all versions of netscape...
Well that is when netscape suddenly becomes less relevant. I get it working for one popular version in windows and that is it, support it from there and up and in Moz6, that is it.
Sure its nice to live in the world where I dont have to know a little about my client to do anything remotely interesting.
I think if people dont like *useful* and functional javascript and flash then its time to quit livining the stoneage (get outta LYNX, no one has the time nor budget to cater to *everyone!* Its a matter of practicality
If I can sucessfully run my business and design my sites to fit 95% of the shoes which is all that matters when your a small development team on a tight budget trying to make a project be really awesome you just can't spend those extra 5 hours doing everything to make everyone happy.
Yeah so a lot of sites out there are using non complinat kludge, so I dont always right standard and compliant HTML, I dont write slopy HTML, but I violate a couple of your rules and all I can say is come out of the stoneages and live with it.
Jeremy
No, Its not half-assed if its the only thing that works is it? Its status quo until Microsoft stops shoveling non-standards-compliant browswers at the public, and everyone else follos suite and the world is a perfect place.
Thats what it means.
It has nothing to do with doing it half-assed...
I would gladly spend the time and effort if I knew my style sheets worked on EVERY platform and I knew that everything worked like it should every where
It doesnt, so I hit the biggest audience with the biggest impact in the least amount of time I can.
Jeremy
That's because some of them probably know about it and are still using old Netscape as a stealth Personal JavaServer to get around "no servers" TOS restrictions. "Well, I was just running Netscape!"
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
That is why div tags and CSS exist. You don't need spacers. Read the CSS2 and HTML 4.01 spec.
And watch your audience complain when CSS gives Netscape 4.x a bluescreen. There has to be different content served to Netscape 4.x users and IE/Mozilla users.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
Indeed, a language that did bounds checking on arrays (and completely didn't support pointers) could have avoided this problem
Pointers are necessary for vector support, which is one of two conditions necessary for Turing completeness[?] (the other is conditionals). If you can't point into an array, you can't move the head over the tape.
If by "pointers" you meant "pointer arithmetic," on the other hand, I see your point. The Java and Scheme languages do not support pointer arithmetic.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
sure... 1) Exploit security bug on current browser 2) Disable browser so that it can never be used. 3) Download and install new browser for user. 4) Warn user that their browser is not operational. They must wait until the update has finished loading or else they will have to install a new browser from scratch. 5) User ends up with a secure browser by either waiting for new browser to be installed, installing the newest browser themselves or having no operating browser.
Seems to be something strange on that page.
Under the `info' tab, it says "Published: 29 jan 2000".
But under the `cretit' tag, it says: first discovered by Neal Krawetz July of 2000, and announced via the Bugtraq mailing list on December 20, 2000.
I guess the "published" line is wrong after all,
and this really is rather new.
Seems to be something strange on that page.
Under the `info' tab, it says "Published: 29 jan 2000".
But under the `cretit' tab, it says: first discovered by Neal Krawetz July of 2000, and announced via the Bugtraq mailing list on December 20, 2000.
I guess the "published" line is wrong after all, and this really is rather new.
I wish someone would tell Orange (www.orange.co.uk) about this. Maybe their flaky Flash animations work in Windows but they keep making Netscape in Linux fall over.
This page appears to work fine under the latest nightly of Mozilla (Even the perty flash anims). Personally, I've been using Moz for the last couple months regularly over NS. Even with its bugs, it appears to be more stable/useful than NS.
No thanks. I don't smoke anymore.
Having read this small problem, I then tried to remove flash from my browsers ....
Netscape was easy .... disable aplicaton type, remove plugin ...
IE5 became the problem. I have yet to find any way of uninstalling Flash from it!
Time to uninstall!
Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?
Try going to your favorite search engine and searching for "Morris worm".
Not to mention I have yet to see a Flash page with a static image - they're always animating with a rotating logo or some other action. Boom there goes all your bandwidth for that remote X connection.
Then you factor in the fact Flash renders the animations in realtime, add in that constant animation with transitions/fades and there goes all your CPU power.
There doesn't appear to be any concept of idle time - it's development is similar to Director which I've worked on for 3 years, and in order to pull off a "Press here to continue" with an animation, you have to loop it. Ick.
But then again what do you expect from a product from a company originally developing on the Mac?
If you can execute arbitrary code, who says it even has to conform to the Linux API? Just code up some assembler that performs sector-level writes to the hard disk, and you could trash the filesystem regardless of whether you are root or not.
I never intended to improve on anything.. just learn from a classic game as a "getting my programming skill feet wet" project. I understand your bitterness, but I'd think it's more aptly directed at someone who actually deserves it... like people who claim to have "made the next best thing"
I only claim to have "made a thing." =)
PointlessGames.com -- Go waste some time.
MassMOG.com -- Visit the site; Use the word.
...not to mention, he apparently didn't even go to the site. Pure HTML until you get to the games, which are the reason for the site, but not the entire makeup of it!
PointlessGames.com -- Go waste some time.
MassMOG.com -- Visit the site; Use the word.
I work in security and holes are discovered all the time.
This one doesn't look that easy to exploit (closed source). But when you have the possibility to infect millions of computers, I expect that someone will spend the time at least producing a Windows/IE exploit.
Lots of windows mail readers seem to use IE embedded to view content, so I'm wondering if this could work as an email virus too.
I'm sure there are exploits for many other plugins on all browsers, but with flash installed by default these days, this looks on the face of it to be one of the most serious security flaws to be announced in recent years.
Don't be surprised by the slowness of a vendor to respond, this is typical. I've seen serious security flaws on popular server software remain unfixed for months. If this becomes a real problem, then they will probably move a lot faster!
There's more to this than you mention. The important thing is that HTML is no TML. People keep trying to make it into things it isn't.
What's worse is when frames aren't optional; When you need a frame to navigate a site. This makes life really hard when you're trying to order a part for your whoosiewhatsit when you're in bumfuck nowhere, all you have is packet radio and a text interface, and no phone.
This is something that should be optional and OFF BY DEFAULT. It is *trivial* to carry a session variable in coldfusion or php (harder in IIS/ASP; I suggest you use a cookie there) which will remember a simple true or false. Give someone a radio button (oddly appropriate) or a link or SOMETHING to turn ON music if they want it. Most of us won't, because music on webpages is stupid and unncessary.
A good site search engine can search through PDFs as well, so you can find data. PDF is a reasonable place to store data, because it's insanely cross-platform these days. Admittedly, some people can't view it, but some organizations are very picky about the appearance of their documents; If a document can't be presented a certain way, then it doesn't make it into the medium. I think it's better to have the data available as a PDF than not available at all, or only available via snail or fax.
Au contraire. They're in a fine position to require you to do something. If you won't do it, you're probably going to cost them money, or at least they'll make less money off of you; You of course are welcome to go find someone else who doesn't have restrictions.
Amen.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You have to remember, too, that they really don't have to accomodate you at all. You're visiting their server bandwidth and using their CPU time to deliver their pages to you. If you don't want to follow their rules, there is nothing stopping them from telling you that they don't need your patronage. Now it's nicer when they do accomodate, but sometimes accomodation and accessibility get in the way of the message.
Marxism is the opiate of dumbasses
Were exactly did I say worthless? FYI the site is bookmarked so I can check it out later.
I still maintain there is no reason why I should be reading any user guide at all for web based media. The interface should be easily and obviously usable. Unless of course, the creators are a bunch of elitist artists...... ;)
Second, the intro page asks me to:
Why in all the gods' names should I bother learning your interface? I already know text, html, etc., etc.Finally, the intro screen scrolls pathetically slowly on a PIII with 130 meg ram. Give a nicely formatted text box I can read quickly.
I dunno about that. The scene: A darkened bedroom crammed full of junk. Off to one corner, a lone geek sits in front of a monitor, providing the only illumination in the room.
[Scenario 1]
The geek fiddles with a Flash file, fires up Netscape, and watches as Windows blue screens.
[Scenario 2]
The geek fiddles with a Flash file, fires up Netscape, and watches as Netscape dumps core.
The last two times I tried to install flash, the intaller crashed. It may not be in anywhere near as many browswers as MM thinks it is!
An engineer who ran for Congress. http://herbrobinson.us
While I agree with many of User 35416's peeves, I think he is missing a very important point. The web is no longer JUST a vehicle for transmitting information. It is also a tool for entertaining and marketing. As such, it needs the abilitites provided by tools like Shockwave. 14.4 connections? You might as well expect networks to film black and white television! Macromedia has been a fairly decent company in terms of opening their code. Problems should be indetified and dealt with- but let's not throw the baby out with the bathwater.
You have got to be kidding me. this is the creme de la creme of flash? It's just scaling polygons of a half-decent artist, not a pivotal moment of mankind's evolution. Please, Flash, die.
Go Kathryn Thurber!
Delphi may save you from accidentally creating buffer overflows, but will it stop you from forgetting to clear the "valid" flag on a user record for a user who has terminated their session? I didn't think so.
This argument is one that has happened countless times on Bugtraq, without any real conclusion. Some people claim that C (and any other language without bounds checking) is "inappropriate for deployed software," while other people say that languages with bounds checking have too much overhead--in terms of speed, memory, or other factors--to make them usable for server programs, monitoring software, etc., or don't provide feature XYZ which they "need" to write their software (of course, you can write most any program in most any language, but writing a program in a language you're not familiar with is a recipe for disaster). Yet others say that letting the compiler do all the security work will make programmers careless and lead to more of the kind of mistake I mentioned above.
My personal position is, there is no absolute "best language", so use whatever language you're most comfortable with--just make sure you know what you're doing.
By the way, are you sure your Delphi compiler will always bound-check properly in every possible case? One of the reasons I like C is that the compiler does just that--compiles--and doesn't try to insert all sorts of fancy features. That limited functionality, combined with the sheer amount of C code out there which compilers get tested on, allows me to be much more certain than with any other language (except assembly, perhaps) that the compiler will correctly turn my source code into machine code that does exactly what I say.
Incidentally, I haven't had a buffer overflow in a few years myself, ever since I learned to watch out for them--using C all the while. (Why they don't teach this in classes is a mystery to me, though...)
--
BACKNEXTFINISHCANCEL
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
Actually, it's sometimes a necessary evil to get everything looking 'right'. Creating a gap that small isn't possible on all browsers in any other way.
I'll agree with your other points though..
--
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Or better do exactly the same thing as that suggested for linux & co users; make sure their browser runs as another user than the one they are logged in as.
I once wrote a perl script that would take a pdf file and spit out plain text. I think it would be grand if sites that like serving lots of pdfs had one of those.
Then you have the Shockwave Player which is really known as the Shockwave Flash Player which is the shockwave engine used to run files which have been made with Director, but because Director is able to do most of the stuff Flash does (and more) they allowed the ability to play Flash within the Shockwave plugin as of version 8.0
This works out great because personally for example, if I am writing detection code on a site which has Shockwave AND Flash, I can just check the client PC for the Shockwave 8.x+ player and I know if the client has that, they can see both types of content.
I wish someone would tell Orange (www.orange.co.uk) about this. Maybe their flaky Flash animations work in Windows but they keep making Netscape in Linux fall over. I had to disable the plugin just to get at the roaming information page....
-- Soruk
Well, I'd say it could go under either since it affects a large amount of how people view web pages. What with the new focus on web pages involving every new little toy or executable code under the sun, it is not that surprising that problems exist with some (if not all) of the plugins that are "necessary" to get the most of a User's web-surfing experience.
/., it's not surprising that even some of the real ones are badly categorized. (None of the anime posts, AFAIK)
And really, the story will go under what the author placed it under. Considering how many hoax posts make
Just my 2 shekels.
Kierthos
Mr. Hu is not a ninja.
And it should have been released sooner. All the 'commercial-friendly'/1 week advisory waiting period/vendor co-operation/etc 'ethics' that exist today do nothing more then alienate the white-hats knowledge of the 'black-hats' bleeding edge.
aXV1cTswMDR5dS9wc2gwYnFxew
It should have been released sooner. All the 'commercial-friendly'/1 week advisory waiting period/vendor co-operation/etc 'ethics' that exist today do nothing more then alienate the white-hats knowledge of the 'black-hats' bleeding edge.
aXV1cTswMDR5dS9wc2gwYnFxew
"you do not understand". :)
aXV1cTswMDR5dS9wc2gwYnFxew
For instance, today we have a digital art exhibition that you wouldn't enjoy too much if you didn't have Flash. In the case of this example, you can rightly say that art "doesn't serve any useful purpose", but it's probably unfair to say that its patrons are "simpletons with the IQ of jello." I, for one, like pretty, entertaining things that don't take too long to download.
that is why you identify and then fix it.
I would be really pissed if I found that macromedia's negligence caused me to get a virus. It is possible that they skip the checking to make it run faster, but it still seems way to dangerous of a risk just to save a few clock cycles. What would happen if they next 'melissa' like virus scare printed in all the papers involved their plugin? And what if the reporters noticed the problem had been identified months ago and was ignored? I know I sure as hell would never use their products again.
off topic, i don't care. this is even more impressive: nosepilot.com
At least now we can look at some cool shit while we are getting h4x0r3d.
I'd rather be a unix freak than a freaky eunuch
Ewige Blumenkraft!
You, me, and probably a significant amount of slashdot users want some sort of information in webpages, rather then just eye-candy, but I'm guessing that most users want pretty pictures with a minimal amount of useful information. I have never met a website with static content that needed anything more then pure html, and I must praise sites like slashdot that have dynamic content that is handled on the server side, and not by my computer. However, I am the exception here, stuff like flash is popular, so even if I refuse to download and install the plugin, I'm guessing many other people do. After graphical browsers and the AOLers, you were misleading yourself if you expected anything with more information then a "Buffy the Vampire Slayer" episode.
Oh well, I still have lynx. Speeds up websurfing, and is more enjoyable for 90% of the pages I visit.
Just my $.02
How exactly is it that a buffer overflow can allow you to execute arbitrary commands? Overflowing a buffer usually throws you somewhere into unalloc'd memory, which then under windows gives you protection errors, and under most other systems gives you a SEGV. What's up? I guess I just don't get it.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
LEFT TO RIGHT, UP TO DOWN, FLAT - NOT SHADOWS, NO 3D - SERIF FONT. OH, AND DO TRY TO HAVE SOMETHING TO SAY.
Write that down on a piece of paper and nail it to your dense foreheads. If I want flash, I'll smoke some weed, open a box of fruit loops and sit in front of the cartoon channel for a couple of hours.
--
--
Eat right, exercise regularly, die anyway.
Spookily, one of my co-workers -- a classic Linux zealot -- takes a rather similar attitude. After tiring of his constant trolling about Windoze security holes etc (there are lots, true, but NT!=95, and M$ do now release advisories and patches ... there is of course room for improvement though ;) -- I did some quiet looking around at his setup. He's locked his machine down fairly well - tcpwrappers, turned off unwanted stuff from inetd.conf et al. But
according to Red Hat
there are 53 post-release vulnerabilites he hasn't bothered to apply, including GPG and Sendmail stuff, several remote root vulnerabilities etc. And this machine is on a permanent net connection (public IP), as well as being his daily workstation. He'd believed his own press about Linux being infinitely secure compared to Windows... of course, nothing is secure if you don't keep up with Bugtraq and apply patches when they come out, as well as configuring the thing for security when you first set it up.
--
If the good lord had meant me to live in Los Angeles
>Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.
...assuming that they can see the "feedback" link without the required plugin =)
I agree that it is cool if a site works on Lynx, but you can't really use it to read User Friendly or Dilbert where graphics equals content.
http://mp3.com/jje
http://mp3.com/jje
"Baka." --Ruri, Mobile Battleship Nadesico
First off, IANAProgrammer. But it seems to me that 80% or more of the security advisories/exploits/etc that I've seen in the past year are exploits of buffer overflows/overruns that allow you to execute code. So even if the above-mentioned libraries are not applicable in this case, buffer overflows should still be tested.
If you're a programmer and you know how many security holes/exploits come about by this one method, it would seem to me that it would be one of the high priorities of QA to determine if such vulernabilities exist and to code around them. In most cases a patch or an upgrade comes out rather quickly that plugs the whole by eliminating the possibility of the overflow. How much extra work would it be to check the way the buffers are coded and used before releasing the software.
Again, IANAP, but this seems pretty obvious to me. Is there something that makes this unfeasable or are there that many crappy coders out there who don't know their butt from a hole in the ground?
but just look at YOU! You are in the vast minority, my friend. Making money in this modern world of too-much-everything is all about how many people you can reach, and how you can cash in on those knee-jerk, primitive instincts. Check the statistics and you'll see that you and your ilk (the vast majority of /.ers, et al) do not fall into that biggest category, hence you have no value to warrant being marketed to. Does that make sense?
I mean, I'm with you! "Just the facts, ma'am" and all that... text only is great for communicating and functionality, but apparently people are still lazy and patient enough to make it worth all those pretty colors and noise.
Try my nuts to your fist style!
Has anyone noticed the increasing number of Flash animations in Adverts by major online ad agencies? Maybe with the right hack using this bug someone could do *a lot* of damage. With a minimal, wide exposure package it wouldn't cost much either. But I assume there are safety precautions taken by the companies (?). After all, Java has been a problem for awhile with numerous security issues but we still see wide audience Java ADs all over the place. How many sites do those get funneled through anyway?
Methinks we need a stable and secure "DHTML" multimedia product for the "Nixens." Why?
1. We vote with our wallet for the movie with cool special effects, excluding the D&D cheese, or for the big special effects, namely Star Wars E1 and Titanic. Would someone please tell me why they paid to watch Titanic? I am certain that they didn't watch it for the crummy "love" story.
2. We don't live in caves anymore, and we don't buy black & white and analog entertainment centres. Story telling, nowadays, is through your PS2 with a big screen and full digital surround sound. Netrek isn't as popular anymore because we (not I) grew out of the circle, line, and dot graphics. Why play pong, when you can play Baldur's Gate or the latest eye-popping 3D shooter?
3. These FISP (Free ISP) basically force the user to install the Flash plugin, or install it covertly without your knowledge. Why won't they port their banner app for the "Nixen" OS'? Or, offer free internet service for the "Nixen" OS?
4. If you've used the bug ridden and the M$ cloning business model of Flash 5, you'd want an Open Source multimedia "DHTML" product, too.
To conclude, the internet is becoming the main entertainment hangout, not radio & television. Also, entertainment pays the bills, just ask that baseball guy about his $252 MUSD salary + bonuses, or that 12 year-old CEO of a web design company using Flash. My point is if you still use Lynx to surf, then don't complain about the world changing just because you haven't.
Now, how to get an Open Source "DHTML" multimedia project, that will cicc arses, rolling?
Well, sorry about that, but I'll answer the same thing I told the WWW designer who wanted my university's website to depend on JavaScript (ironically, there was some ShockWave Flash too): I, as a person who browses the Web, don't know you. I can't know you're not "hostile"; if your site depends on a security hole in my browser, I'll bitch and go elsewhere, that's all. You have to adapt, not I, I'm afraid...
*My* BIGGEST pet peeve when dealing with websites, is when you minimize one, and when it loads or gets to a page, itll maximize it for you, sometimes, if you minimize it again, itll maximize! You can have a game with this...GEEZ you know I MINIMIZED you for a reason...
Hotmail is a good example of this...
Macromedia was recently informed of a potential security issue with the Macromedia Flash Player, whereby a Macromedia Flash (SWF) file could be handcoded to send more information to a user's machine than the file indicates is being sent. At the present time, the security issue is entirely theoretical, but Macromedia takes security seriously and is working to ensure that this reported issue, called a "buffer overflow error," is appropriately addressed as soon as possible. It is important to note that no known examples of this buffer overflow error exist.
Regards
Troy Evans
Flash Player Product Manager
So what ? Sendmail and BIND where designed when security wasn't an issue. Since then the sendmail crew has done their job. When was the last security hole in Sendmail ?
AARGH this site is driving me nuts! Why did it feel the need to open a new window on the site? What's with all of this Javascript formatting? Why won't it just bring me to the stupid flash site so I can download the swf and play it, since the integration with the browser is broken on my machine? In the end, despite reading though the source on almost every page to get to the next page, I never did see any of these digital art exitbits.
I read the internet for the articles.
. . . lwn.net was running shockwave on a server and got fouled up from a time-travel game . . .
hawk
Sure a buffer overflow in Flash is big news. It's bigger than the uninitialized variable of 1999. But I think the news item of the millenium is going to be the null pointer dereference in Netscape. Look out CNN. We've got a null pointer story.
You mean like sendmail and BIND? Try searching the CERT advisories and you'll see what I mean.
I may just be delighted to see "Movie not loaded..." when I right-click on a blank space in a webpage after all!
--
--
Me spell chucker work grate. Need grandma chicken.
I never met a plugin I didn't hate.
I have a woman and money. Life is good.
The average web'master' can't even write HTML nowadays, or that's what you'd think looking at websites owned by large corps.
Absolutely true. I've had cow-orkers ask me (in an almost disbelieving tone) why I
was writing HTML by hand when "Frontpage is already installed"...
I've also heard people talk about "learning HTML" when what they mean is "learning Frontpage".
I kinda like Flash tho, it's nice for making slick, compact, artsy-fartsy things that won't get broken
by crappy HTML renderers. It either works, or it doesn't, and chances are it will work,
because 95% of the viewing population is Win/Mac.
And for the other 5%, it's not hard to include a less 'cool', but equally informative text version.
It all depends on who's doing the work and weather they give a shit.
--K
According to page 3-13 of "Pentium Pro Family Developer's Manual" "Volume 3: Operating System Writer's Guide", table 3-1: Code and Data segment types, there are four types of data segments - read-only, read/write, read-only-exapnd-down and read-write-expand-down, and four types of code segments - execute-only, execute-read, execute-only-conforming and execute-read-conforming. The problem is that under any UNIXy x86 systems, you don't use segmentation, but creates one big executable segment and one big data segment, spanning all of the linear adress space, and use page control as access control. This is because a) old big UNIX machines didn't have segmentation and b) some hackers consider segmentation an uggly cludge...
--The knowledge that you are an idiot, is what distinguishes you from one.
Perhaps it does that now, I don't care. It's (a) a security risk, (b) an unnecessary piece of shit (as previously stated.)
As you can tell, Macromedia annoyed me with this. But this also goes to a bigger, more serious issue - that of one-click downloads and updates of software on user's computers. Most users aren't able to make an informed choice about the software they're "choosing" to download. They just want to see the latest shiny thing on the website they're looking at, or get the latest update to anything from Winamp to their IM client. While this is a marketer's dream, it's a security nightmare. As the macro virus holes in software like Office are slowly closed, downloadable Web widgets are likely to become the next major virus delivery channel. And you can't trust "name-brand" companies like Macromedia, as this buffer overflow bug proves.
So don't give me "People, you're not even trying." I'm not trying, I'm succeeding, in following and promulgating successful security policies.
If a company wants to put out a multimedia viewer, they shouldn't try to force it on people. After it's been downloaded the first time, the damn thing virtually (or actually?) downloads updates itself. At one point, it didn't even have an uninstall option - and may still not for all I know, I no longer allow it on my system or my clients' systems. I've told my clients it's a security risk. Boy do I look like a guru now...
I installed it once under Linux... then realized
It was lame and useless... *shrug*
Yeah.. I'm on DSL and it only takes 10 seconds
for an Obnoxiously large web-site to load.. but I sure miss
Those REALLY nicely formatted sites that loaded
in ONE second using Lynx and a 28.8 connect.
Shockwave is like those metallic ribbons you
find hanging from the ends of the handle bars
on a girls bike. They may look pretty and be
entertaining to a simpleton with the IQ of jello
but they really don't serve any useful purpose.
Friends don't let friends buy Compaq's. (Dell/Gateway... same same) You want a good computer? Build it yourself.
> The web is no longer JUST a vehicle for transmitting information. It is also a tool for entertaining and marketing.
If you want to market to me, the same still applies: "Just the facts, ma'am." If I have to wait 10 seconds for some fancy graphics/animation/whatever to download, I'm more likely to click "back" than to patiently wait to be spoonfed a commercial that substitutes flash for content.
It is not uncommon for me to go to sites specifically looking for product information and leave without that information because I don't feel like waiting for the dog'n'pony show to finish. Those vendors lose my business.
Same think with other kinds of site. ABC news used to have a decent site, but they "upgraded" it to make it more commercial friendly at the expense of making it hard to skim the headlines. I haven't been back since the "upgrade", so now I don't see any of their commercials.
--
Sheesh, evil *and* a jerk. -- Jade
I bed to differ. We "geeks" understand and know when to recognize a link when we see one. After taking an Internet Marketing class, statistically, more people will Click Here if you tell them to do so -- just like TV ads that say Buy Now or Hurry, while quantities last! It works with the general public. They're telling the masses what to do, and although the Click Here doesn't work for you or I, think about the millions of AOL customers who don't have a clue... They need to be specifically told to Click Here. And they will.
Trust me -- in online marketing terms, Click Here works, and that's the sad part.
See how well the Click Here works? You clicked. If I had a banner ad, I would have made $0.02. I've proved my point. It's all marketing. Blame the marketers for the Click Here craze. Now go read my previous post for more information.
We hear on an almost daily basis that there are security holes... mostly in Microsoft and Netscape software. The latest idiocy is that Windows Media Player can be used to execute arbitrary programs. Many of these holes involve buffer overruns that allow execution of "arbitrary code".
Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?
There's a lot of heat and noise about the sieve-like quality of software security of Internet software, but is it _really_ that much of a risk?
(Which isn't to say it shouldn't be addressed with all haste)
Rick
Due to a Y2K bug, all Y2K bugs occurred on 1 January 2001.
You are in a maze of twisty little passages, all alike.
That is some sweet flash....
ReadThe ReflectionEngine, a cyberpunk style n
Please mod the parent post up. If anything from Macromedia tanks my computer, I'd most rather have that site do it for me. I took a web design class at my university's art dept. two years ago... not your typical "learn HTML and Javascript" course, rather entirely focused on WYSIWYG editors and visual communications... and they used Gabocorp as an example of what can really make you weep at your own pathetic visual design skills. Apparently the whole company is some kid from Puerto Rico who makes Flash presentations like B.B. King makes blues music. The correct URL, for the lazy, is gabocorp.com. The old "dubuhya dubuhya dubuhya dot" at the front leads to a non-existent server. (Then again, what's the problem with adding an extra DNS entry? Only us geeks would moan about that, though).
while grepping through the linux source it appears that it sets the prot_exec bit only if the vm_exec bit is set. I'll have to check what the intel chip acutal does (I never liked the things, too much of a hack design) but from the source it looks like if any data or stack segments were not marked vm_exec then they wouldn't allow code to run at all.
A AAAAAAAAAAAAAAAAAAAAAAAAAA", it goes on the stack and if the stack is built the wrong way, it over writes the return area on the stack. So if you play your cards right an replace the 'A' with a properly calculated stack frame you can have the return from teh function return to your code which you just happened to supply. The CPU pops the stack pointer and runs user supplied code and that is how most exploits happen. There are tools tha t will help generate the proper strings that have been mentioned in places like bugtraq.
For thouse that don't understand what I'm talking about....
Stack overflows take some simple data like this:
char name[25];
something_broken_like_gets(name);
Now when you feed in a string like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
indeed, and this is exactly the point that security experts who are in touch with reality try to bring to the public interest. Consider the analogy of a door (on a house or a car). Now if I believe that no one can open the door without my key I am not going to stem that belief just because you tell me that my door is "not secure". It is not until you demonstrate that the door is openable without the key that I am willing to change by belief in the security of my door. However, it is not only the security expert who can demonstrate the insecurity of your door. Indeed, the house/car robber can do the same. Is it not in our interest to aid the security expert to be the first to find the insecurity in our doors?
How we know is more important than what we know.
The kernel is coded to be portable. On some archetectures you can indeed say this, but not on x86.
How we know is more important than what we know.
and once again. I tell you that the programmer has no idea what can cause a security fault so he has no idea how to fix it! It's not his job. We don't expect him to know anything about the lowdown on computer security. Hell, computer security is an emerging field. To be an expert in it you have to read and read a lot. I personally would prefer my programmers spending their time fixing (and indeed preventing) the bugs that users are going to report. Not the ones that some security egghead is going to find three years after we've shipped the product.
How we know is more important than what we know.
actually it's even worse than that. On an x86, you have two mechanisms of protection. You have segmented protection and you have page level protection. On page level protection you may specify whether a page is readable, writable or both. If a page is readable then it is executable. The other form of protection is descritor level protection. That is, the descriptor used in the segment registers (mapped via the LDT and GDT) can be set to, once again, readable or writable or both. Readable implies executable. Now this is so engrained in x86 that you will often see people refering to the readable bit as "read-exec". Linux uses descriptors via the LDT of each process to give seperate address spaces to every program. However, the stack is not a seperate address space to the code and data segments. That is, you don't have a different descriptor in SS than you do in DS. If you did have such a mechanism, you would have a lot of problems deciding when you need to use the SS register and when you need to use the DS register to access pointers.
How we know is more important than what we know.
err.. shouldn't this be under "bugs" and this story, shouldn't it be under well, anything other than bugs? What's going on?
How we know is more important than what we know.
Actually you can get the source to the Macromedia Flash (ie Shockwave) player at no cost.
How we know is more important than what we know.
umm.. no.. see security analysis is a completely different disciplin to software development. So what you're asking the programmers to do is something very very hard (for them). You might as well ask them to determine if there is a product for the software or whip up an ad campaign for it. After all, who knows the product better than the software developers right? Now.. a reasonably informed opinion would be that companies should get security testers to test their product before they ship (or better yet, during the development cycle). But that would involve hiring people and paying them money to fix problems that people might not even find. Remember, most security bugs are not found. The product lives out its short life and disappears from the world when the next version or the next great paradigm shift happens. So you're asking companies to spend money on things that don't really loose them any money in the long run. So no, there is no technical reason why software can't be secure. It's an economic/political thing.
How we know is more important than what we know.
how about posting how to do this under win2k.
How we know is more important than what we know.
some how I doubt the first exploit to be written for this bug will be targeting linux.
How we know is more important than what we know.
this was hardly a case of a strcpy into a stack buffer. Read the article. This was not the kind of buffer overflow that could be fixed with a library. Indeed, a language that did bounds checking on arrays (and completely didn't support pointers) could have avoided this problem, but I'm not sure that it would.
How we know is more important than what we know.
- Progams are written in C, which doesn't like to do bounds checking
- Programmers turn off bounds checking, because it slows things down too much
- It's too difficult to do bounds checking code that works cross-platform
- Bounds checking isn't a language feature, it belongs in the OS
- Because OS designs tend to be flat, non-object-oriented, this will be a problem forever
- Mike... you just don't have a clue... the real reason involves Natalie Portman, Nudity, and Hot Grits
Well... what's up? Why have I never had this problem with my stuff? I do my programming in Delphi under Windows.--Mike--
You haven't started one comment on this whole page with a capital letter. Most people begin sentences with capital letters, even you do for the rest of your sentences. Please explain yourself.
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Perhaps you should write your website in HTML like all proper websites instead of depending on a tool designed for Mac-using arty farty twats who can't code properly.
But I don't think the original poster was giving tips on how to make a marketable website. He was giving tips on how to make a quality site with good, clear, easy to find content. Unfortunately there's a huge difference. :-(
kugano
So, from the fact that Neal mentions running it on Linux, I'm pretty sure he means the regular Flash player is vulnerable... but how about the other Shockwave plugin - the one that plays both Flash and Director files? Since he only refers to crashing it with SWF files, it's not clear to me whether he means the other plugin is vulnerable - and if it is, could it be crashed with a DCR file?
The researcher gave Macromedia seven months to patch this before posting to bugtraq. I just goes to prove, if proof is still needed, that commercial vendors will not fix holes until they are being exploited on a massive scale.
Yes, I know there are some shining exceptions. But I think that generally, unless a company has a clear track record of working with outsiders to fix holes in a timely fashion, anybody discovering an exploit should post it to bugtraq immediately. Vendors like Macromedia don't deserve the courtesy of advance notification, especially when it leaves huge numbers of machines vulnerable for months.
Yes, that's obviously the perception of the decision-makers, but are the decision-makers right? We've just seen the death of many e-commerce sites built with that 'noisy flashy junky' philosophy, and while their business models certainly contributed, I think the sites actively drove users away. For example, boo.com must be the most extreme case of 'commerce-as-entertainment' and for a brief period after their launch, it seemed that everyone would have to 'catch up' to their 'immersive' web site. Then, of course, they failed miserably. I never managed to see their site - some combination of netscape crashing, slow connections and server-side flakiness.
Who survived the e-commerce bloodbath? Amazon comes to mind - flashy perhaps, but info-rich with reviews and easy searching.
It's worth remembering that most attempts to "cash in on those knee-jerk, primitive instincts" ended up losing money. Maybe people aren't as primitive as merchants think.
I'd like a smarter lynx, that could among other things collapse these navbars into something like a listbox, so it would become only one element to skip past when you don't want it.
Re the unfriendly frameset issue, I wish designers would use something like:
I think the invitation to upgrade your browser is a poor idea because most people running a non-frames browser in 2001 are probably doing it on purpose, and there's no sense driving visitors away to do some other task, after which they'll probably forget to come back.
Generically, that describes any buffer overflow exploit that hasn't been perfected yet. If a program has a buffer 100 bytes long with no checking, and I feed it a 10M string, it will almost certainly crash. My string will have overwritten part of the program with instructions the CPU probably doesn't like. With enough work, I can design a string that puts some properly written machine language in a location the program will call or jump to. Thus, I can execute arbitrary code with the same privileges as the program.
Actually, userspace processes cannot write to hardware. That's part of what it means for '386 and up chips to enter protected mode which is the mode in which linux runs. All of Unix security would be worthless if users could perform sector-level writes to the hard disk.
Not to mention that for most things crackers want to do with your small linux box, user privs are not required. The logical exploit would be a small program that daemonizes itself and changes $0 to something already prevalent in your process table like 'xterm -bg black -fg green'. Then the daemon would fire off a udp packet to evil hq summarizing the latest capture and do a 'stealth bind' to a high-numbered port, awaiting commands from it's dark master. Then your box is ready to be used as a DOS amplifier or an anonymizing springboard for various attacks. Given how linux users pride themselves on their uptime, the process could be around for quite a while.
I'm just kind of wondering why Macromedia seemed to blow this off. Specifically does anyone have any word from Macromedia on this?
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
Not that it invalidates any of the points made, though...
sig not found
Rich
anything that says UNDER CONSTRUCTION
What if the site is about something else that's under construction, such as a software package? What would a building construction company do?
clear 1X1 pixel gifs used for spacing with alt tags that say "spacer"
I agree here. Ditch the spacers except in Netscape 4.x which can't render CSS; even then, a spacer's alt tag should be alt=""
don't use javascript to display text
How do you generate dynamic content if you aren't paying big bux0r$$$ for access to a cgi-bin folder? The only way is through client-side EcmaScript or Java technology.
websites that play music
So are you saying that web-based interfaces to the Napster service are unacceptable? Sometimes, the music is the content, but I see your point when the music is there just for flashturbation[?].
websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
Even piece-of-crash Nutscrape 4.x?
more than one animated gif on a page
I agree here. Animation should be used with moderation; even then, it should be done using PNGs and EcmaScript (or MNGs in 6.0 browsers), not GIFs.
I'd like to add one more: right-click traps[?]. See also the Right-Click Trap Shit List.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
I've tried to send complaints to some of these folks. Usually they don't have a feedback link. When they do, they never care that the page doesn't work. I usually send an email when the site doesn't work with javascript disabled. Often times it's just a pull-down list that jumps you to a certain part of the site automatically, and lacks a little "go" button next to it.
They could not care less. When they do respond, it's usually "Javascript is required". One of the really good recent examples I recall is the search page at iwon.com. If javascript is disabled, you get a blank page with only their logo in the corner. They didn't seem to care when I mentioned that every other search engine/portal works without javascript. If you're up for a challenge, try poking around at iwon.com's site to find an email address or feedback entry page. They obviously don't want to hear from their users.
PJRC: Electronic Projects, 8051 Microcontroller Tools
PointlessGames.com -- Go waste some time.
MassMOG.com -- Visit the site; Use the word.
The player doesn't look like it is being actively developed, though maybe someone out there is interested?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
For things like PGP keys, you can issue a 'revocation certificate.' This is something that's generated from the private key and a user can look at it, look at your public key and see that indeed, you made the certificate and intend to say that "this key should no longer be used."
For all practical purposes, without the private key it's impossible to forge such a certificate, in the same way that it's practically impossible to go backwards from a public key to the private one (without the resources of, say, the NSA or distributed.net).
Given that with things like Windows and Flash, it seems inevietable that these programs are going to make contact with their makers occasionally (be it to check for updates, download banner ads, espionage or whatever), why not allow the parent site to send out a revocation certificate? If the software is designed to check for a certificate and refuse to function, then what might happen in this scenario is within the next few days, all Flash users receive a popup the next time they run Flash that says
Given that this sort of thing will probably end up happening anyway for other reasons (ie forced obsolescence), why not put it to good use as well?You can use this problem to "execute arbitrary code stored in the SWF file".
Uh-oh.
Watch out for new Metallica versions of the Camp Chaos cartoons!
"Hey! This is, like, you know, Lars Ulrich from Metallica, and we've got a few choice words on Napster. At this very moment, we're, like, deleting everything with an MP3 extension on, like, your computer. And, like, every filename with the word Napster in it. James learned Linux for you!"
"Linux GOOD! Fire BAD! Napster BAD!"
"Finally, like, we think you hackers and computer nerds that we used to beat up in high school are, like, pretty cool with us, 'cause, like, without you guys, we'd have had no clue, like, no fucking idea, like, how to stop all the money grubbers sharing our stuff with Napster. I mean, we put blood, sweat and motherfucking beers into our music!"
Fire and Meat. Yummy.
You are right, I think windows2000 users who are automatically logged in as "Administrator" should really de-install this player.
--
Trolling using another account since 2005.
I am sorry not to agree with you. :-( ), which is only aimed at *one* browser (e.g. MSIE for Frontpage, NS for NS-editor, etc.).
I have designed dozen of websites and targetted my hand-made code to my test browser.
I actually saw many differences according to the visitor's web browser except in one case : Fresco is a web browser aimed at RiscOS platforms.
Whenever optimizing my code too look properly on it, it usually looked the same on all the popular browsers.
Bottom lines : neither java nor javascript, nor SSL but in this case you can still choose another popular RiscOS browser such as Webster
Maybe there is a need for web developpers to learn to code in standard HTML, especially when I see the crap generated by most HTML-generators (yuk
Finally, Fresco was developped for Oracle's Network Computer, which first prototypes were developped by Acorn.
--
Trolling using another account since 2005.
I'm afraid most windows2000 users are unable to set up this as it requires specific abilities that most of them don't have, as windows targets end-users.
--
Trolling using another account since 2005.
sig:
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
There still may be danger, even if you're running your netscape application as a dummy user. Since you have to grant that user access to your X display, there may be security faults/features in the X server itself to which you're now vulnerable.
X authentication exists for a reason... if you override it, be sure you understand the risks :-)
What do you mean they cut the power? How can they cut the power, man? They're animals!
Lots of free advertising would happen. Sure, many people would be disgusted and uninstall it. But more people yet would now recognise the brand and product name. And Macromedia?? They wouldn't have any penalty imposed on them. Basically a virus distributed through flash would only be of benefit to Macromedia. Look at any of the softwares that have had big viruses distributed through their use and I think you'll find that they are more widely used than they were before.
While the selection for Linux is limited to an old version of the plugin, there is at least one system with NO Flash plugin at all - AIX. I happened to be checking Slashdot on a quick break at work and found this discussion. If I hit one of these Flash sites I get a popup telling me I need a plugin, but then there ain't one. And at home, at least some of the "Flash" sites require the version 5 plugin (not available for Linux), or the "Shockwave" plugin (also not available for Linux).
I agree with the KISS principle of website design. Maybe we'll be lucky - someone will exploit this bug, and then someone will sue Macromedia and they'll go bankrupt and there won't be any more FlashTrash. (Unfortunately if that happened, Micro$quish would buy them out and integrate Flash into Windoze - they could replace the "Active Desktop" with the "Hyperactive Desktop"!!)
Teen Angel - a Ghost Story
...to write a complicated, web-enabled package such as Flash and be sure you've removed every possible security bug from it? Of course not. There's no way to be certain. The chances are, every major Internet product - including IE, Netscape, Flash, will have more bugs exposed in it as time goes on. It's a fact of programming.
Yet another argument for open source software...
A malicious website could say, gather information about a person's computer with an innocent looking form (this would be the nit-wit factor here) and use it to create an on-the-fly generated Flash animation that knows exactly what to do to nit-wit's computer.
Or, with that previous Netscape JVM bug, generate a file-list from the user's computer, and then use the Flash plugin to delete/corrupt the exact location of files. This wouldn't even need the nit-wit factor.
And like, I'm not very smart, so there must be way better ways to mess people up with this.
And have I disabled flash? I'll do it tomorrow...
Jeremy McNaughton
------ Live simply so that others may simply live.
Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?
Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.
err.. you're really lost in thinking that this code is being executed in the data segment but anyways, on x86 there is only READ_EXEC_ONLY, READ_WRITE_EXEC, READ_ONLY or NO_PERMISSIONS. You can't say READ_WRITE_ONLY which is the problem. If you want a data section that is read only then you can have that, but if you want a read/write data section that is not executable, sorry, that's not offered.
How we know is more important than what we know.
so that's what the boys at gabocorp have been doing all along!
those nefarious bastards!
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
No, it is completely NOT necessary with css.
Unless you're selling DVDs, you don't have to worry about CSS issues.
Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter to remove the formatting for those who are behind Nutscrape.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
Many people havn't updated NS from the "Every web browser is a server with JAVA" security hole. So I doubt anyone will care.... :(
The majority of users won't care if there browser has security issues. They have their browser, they may have had it set up for them, or they may just not want to download a newer browser; this, and most other browser security holes will be left open.
The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.
Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?
The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
;),
:P)
Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now!
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash.
IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.
The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.
--K
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
Well after a little searching I found where M$ hides shockwave for IE5.
/dev/null .....
c:\windows\system\macromedia
it's now been sent to
Here's the bugtraq id on securityfocus:
http://www.securityfocus.com/bid/2162
Cheers
There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.
When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.
I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.
[Writer crosses fingers hoping not to be the next person to publish one!]
--
Sheesh, evil *and* a jerk. -- Jade
Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.
/. that said "If I wanted your site to make music, I'd have turned on the radio"
Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.
Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.
My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page
there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.
How we know is more important than what we know.
-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).
-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...
It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--
Trolling using another account since 2005.
-- If no truths are spoken then no lies can hide --
But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.
Oh well, my favorite resource has some more information here