Slashdot Mirror
Buffer Overflow In All Shockwave Players
drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF
file"."
AARGH this site is driving me nuts! Why did it feel the need to open a new window on the site? What's with all of this Javascript formatting? Why won't it just bring me to the stupid flash site so I can download the swf and play it, since the integration with the browser is broken on my machine? In the end, despite reading though the source on almost every page to get to the next page, I never did see any of these digital art exitbits.
I read the internet for the articles.
. . . lwn.net was running shockwave on a server and got fouled up from a time-travel game . . .
hawk
Sure a buffer overflow in Flash is big news. It's bigger than the uninitialized variable of 1999. But I think the news item of the millenium is going to be the null pointer dereference in Netscape. Look out CNN. We've got a null pointer story.
You mean like sendmail and BIND? Try searching the CERT advisories and you'll see what I mean.
I may just be delighted to see "Movie not loaded..." when I right-click on a blank space in a webpage after all!
--
--
Me spell chucker work grate. Need grandma chicken.
I never met a plugin I didn't hate.
I have a woman and money. Life is good.
Not to mention I have yet to see a Flash page with a static image - they're always animating with a rotating logo or some other action. Boom there goes all your bandwidth for that remote X connection.
:P
As I said before, Flash designers care about your
remote X sessions about as much as you care about their silly animations. I'd estimate people browsing across remote
X connections make up less than 1% of page views. It's an insignificant amount.
Remember, most 'normal' people aren't impressed by text-only pages written in HTML2, even though it's an effective way of disseminating info.
Then you factor in the fact Flash renders the animations in realtime, add in that constant animation with transitions/fades and there goes all your CPU power.
This is both a blessing and a curse. By rendering on the client side, you don't need to transfer a zillion frames of a raster animation. BUT, it does suck up processor cycles.
That said, I find I have MANY more processor cycles than kb/s of bandwidth, even on my slowest boxen.
There doesn't appear to be any concept of idle time - it's development is similar to Director which I've worked on for 3 years, and in order to pull off a "Press here to continue" with an animation, you have to loop it. Ick.
(Forgive me if I'm thinking of something else.)
Ummm...Of course you have to loop it.
You can't make a repeating function (like an animation clip) without looping. Some programs
can hide it, but in the end, the processor is still executing a loop.
But then again what do you expect from a product from a company originally developing on the Mac?
Ahhh, the joys of teenage Linux bigotry.
I'm not saying Flash is perfect. It's far from it,
but it's not technology from the smoking pits of hell, either.
--K
The average web'master' can't even write HTML nowadays, or that's what you'd think looking at websites owned by large corps.
Absolutely true. I've had cow-orkers ask me (in an almost disbelieving tone) why I
was writing HTML by hand when "Frontpage is already installed"...
I've also heard people talk about "learning HTML" when what they mean is "learning Frontpage".
I kinda like Flash tho, it's nice for making slick, compact, artsy-fartsy things that won't get broken
by crappy HTML renderers. It either works, or it doesn't, and chances are it will work,
because 95% of the viewing population is Win/Mac.
And for the other 5%, it's not hard to include a less 'cool', but equally informative text version.
It all depends on who's doing the work and weather they give a shit.
--K
According to page 3-13 of "Pentium Pro Family Developer's Manual" "Volume 3: Operating System Writer's Guide", table 3-1: Code and Data segment types, there are four types of data segments - read-only, read/write, read-only-exapnd-down and read-write-expand-down, and four types of code segments - execute-only, execute-read, execute-only-conforming and execute-read-conforming. The problem is that under any UNIXy x86 systems, you don't use segmentation, but creates one big executable segment and one big data segment, spanning all of the linear adress space, and use page control as access control. This is because a) old big UNIX machines didn't have segmentation and b) some hackers consider segmentation an uggly cludge...
--The knowledge that you are an idiot, is what distinguishes you from one.
Perhaps it does that now, I don't care. It's (a) a security risk, (b) an unnecessary piece of shit (as previously stated.)
As you can tell, Macromedia annoyed me with this. But this also goes to a bigger, more serious issue - that of one-click downloads and updates of software on user's computers. Most users aren't able to make an informed choice about the software they're "choosing" to download. They just want to see the latest shiny thing on the website they're looking at, or get the latest update to anything from Winamp to their IM client. While this is a marketer's dream, it's a security nightmare. As the macro virus holes in software like Office are slowly closed, downloadable Web widgets are likely to become the next major virus delivery channel. And you can't trust "name-brand" companies like Macromedia, as this buffer overflow bug proves.
So don't give me "People, you're not even trying." I'm not trying, I'm succeeding, in following and promulgating successful security policies.
If a company wants to put out a multimedia viewer, they shouldn't try to force it on people. After it's been downloaded the first time, the damn thing virtually (or actually?) downloads updates itself. At one point, it didn't even have an uninstall option - and may still not for all I know, I no longer allow it on my system or my clients' systems. I've told my clients it's a security risk. Boy do I look like a guru now...
I installed it once under Linux... then realized
It was lame and useless... *shrug*
Yeah.. I'm on DSL and it only takes 10 seconds
for an Obnoxiously large web-site to load.. but I sure miss
Those REALLY nicely formatted sites that loaded
in ONE second using Lynx and a 28.8 connect.
Shockwave is like those metallic ribbons you
find hanging from the ends of the handle bars
on a girls bike. They may look pretty and be
entertaining to a simpleton with the IQ of jello
but they really don't serve any useful purpose.
Friends don't let friends buy Compaq's. (Dell/Gateway... same same) You want a good computer? Build it yourself.
> The web is no longer JUST a vehicle for transmitting information. It is also a tool for entertaining and marketing.
If you want to market to me, the same still applies: "Just the facts, ma'am." If I have to wait 10 seconds for some fancy graphics/animation/whatever to download, I'm more likely to click "back" than to patiently wait to be spoonfed a commercial that substitutes flash for content.
It is not uncommon for me to go to sites specifically looking for product information and leave without that information because I don't feel like waiting for the dog'n'pony show to finish. Those vendors lose my business.
Same think with other kinds of site. ABC news used to have a decent site, but they "upgraded" it to make it more commercial friendly at the expense of making it hard to skim the headlines. I haven't been back since the "upgrade", so now I don't see any of their commercials.
--
Sheesh, evil *and* a jerk. -- Jade
I bed to differ. We "geeks" understand and know when to recognize a link when we see one. After taking an Internet Marketing class, statistically, more people will Click Here if you tell them to do so -- just like TV ads that say Buy Now or Hurry, while quantities last! It works with the general public. They're telling the masses what to do, and although the Click Here doesn't work for you or I, think about the millions of AOL customers who don't have a clue... They need to be specifically told to Click Here. And they will.
Trust me -- in online marketing terms, Click Here works, and that's the sad part.
See how well the Click Here works? You clicked. If I had a banner ad, I would have made $0.02. I've proved my point. It's all marketing. Blame the marketers for the Click Here craze. Now go read my previous post for more information.
We hear on an almost daily basis that there are security holes... mostly in Microsoft and Netscape software. The latest idiocy is that Windows Media Player can be used to execute arbitrary programs. Many of these holes involve buffer overruns that allow execution of "arbitrary code".
Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?
There's a lot of heat and noise about the sieve-like quality of software security of Internet software, but is it _really_ that much of a risk?
(Which isn't to say it shouldn't be addressed with all haste)
Rick
Due to a Y2K bug, all Y2K bugs occurred on 1 January 2001.
You are in a maze of twisty little passages, all alike.
That is some sweet flash....
ReadThe ReflectionEngine, a cyberpunk style n
Now, how to get an Open Source "DHTML" multimedia project, that will cicc arses, rolling?
DHTML is a generic term to describe a lot of different things, like "object-oriented" or "open source." DHTML is not a specific technology. It is a collection of several standards: CSS, JavaScript and CSSP. And furthermore, you already have an "open source DHTML" project. It's called Mozilla.
If you're saying you need a open source Flash clone, take a look at SVG: XML-based vector graphics. It's supported by W3C and Adobe (amongst, others).
- Scott
------
Scott Stevenson
Scott Stevenson
Tree House Ideas
Please mod the parent post up. If anything from Macromedia tanks my computer, I'd most rather have that site do it for me. I took a web design class at my university's art dept. two years ago... not your typical "learn HTML and Javascript" course, rather entirely focused on WYSIWYG editors and visual communications... and they used Gabocorp as an example of what can really make you weep at your own pathetic visual design skills. Apparently the whole company is some kid from Puerto Rico who makes Flash presentations like B.B. King makes blues music. The correct URL, for the lazy, is gabocorp.com. The old "dubuhya dubuhya dubuhya dot" at the front leads to a non-existent server. (Then again, what's the problem with adding an extra DNS entry? Only us geeks would moan about that, though).
while grepping through the linux source it appears that it sets the prot_exec bit only if the vm_exec bit is set. I'll have to check what the intel chip acutal does (I never liked the things, too much of a hack design) but from the source it looks like if any data or stack segments were not marked vm_exec then they wouldn't allow code to run at all.
A AAAAAAAAAAAAAAAAAAAAAAAAAA", it goes on the stack and if the stack is built the wrong way, it over writes the return area on the stack. So if you play your cards right an replace the 'A' with a properly calculated stack frame you can have the return from teh function return to your code which you just happened to supply. The CPU pops the stack pointer and runs user supplied code and that is how most exploits happen. There are tools tha t will help generate the proper strings that have been mentioned in places like bugtraq.
For thouse that don't understand what I'm talking about....
Stack overflows take some simple data like this:
char name[25];
something_broken_like_gets(name);
Now when you feed in a string like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
indeed, and this is exactly the point that security experts who are in touch with reality try to bring to the public interest. Consider the analogy of a door (on a house or a car). Now if I believe that no one can open the door without my key I am not going to stem that belief just because you tell me that my door is "not secure". It is not until you demonstrate that the door is openable without the key that I am willing to change by belief in the security of my door. However, it is not only the security expert who can demonstrate the insecurity of your door. Indeed, the house/car robber can do the same. Is it not in our interest to aid the security expert to be the first to find the insecurity in our doors?
How we know is more important than what we know.
The kernel is coded to be portable. On some archetectures you can indeed say this, but not on x86.
How we know is more important than what we know.
and once again. I tell you that the programmer has no idea what can cause a security fault so he has no idea how to fix it! It's not his job. We don't expect him to know anything about the lowdown on computer security. Hell, computer security is an emerging field. To be an expert in it you have to read and read a lot. I personally would prefer my programmers spending their time fixing (and indeed preventing) the bugs that users are going to report. Not the ones that some security egghead is going to find three years after we've shipped the product.
How we know is more important than what we know.
technically integer pointers into arrays are called "indexes" or at least in every book I've read. By pointers I specifically mean a variable that contains the address of a memory location. Although even that definition isn't great because that included "array variables".. oh well.
How we know is more important than what we know.
actually it's even worse than that. On an x86, you have two mechanisms of protection. You have segmented protection and you have page level protection. On page level protection you may specify whether a page is readable, writable or both. If a page is readable then it is executable. The other form of protection is descritor level protection. That is, the descriptor used in the segment registers (mapped via the LDT and GDT) can be set to, once again, readable or writable or both. Readable implies executable. Now this is so engrained in x86 that you will often see people refering to the readable bit as "read-exec". Linux uses descriptors via the LDT of each process to give seperate address spaces to every program. However, the stack is not a seperate address space to the code and data segments. That is, you don't have a different descriptor in SS than you do in DS. If you did have such a mechanism, you would have a lot of problems deciding when you need to use the SS register and when you need to use the DS register to access pointers.
How we know is more important than what we know.
err.. shouldn't this be under "bugs" and this story, shouldn't it be under well, anything other than bugs? What's going on?
How we know is more important than what we know.
Actually you can get the source to the Macromedia Flash (ie Shockwave) player at no cost.
How we know is more important than what we know.
umm.. no.. see security analysis is a completely different disciplin to software development. So what you're asking the programmers to do is something very very hard (for them). You might as well ask them to determine if there is a product for the software or whip up an ad campaign for it. After all, who knows the product better than the software developers right? Now.. a reasonably informed opinion would be that companies should get security testers to test their product before they ship (or better yet, during the development cycle). But that would involve hiring people and paying them money to fix problems that people might not even find. Remember, most security bugs are not found. The product lives out its short life and disappears from the world when the next version or the next great paradigm shift happens. So you're asking companies to spend money on things that don't really loose them any money in the long run. So no, there is no technical reason why software can't be secure. It's an economic/political thing.
How we know is more important than what we know.
how about posting how to do this under win2k.
How we know is more important than what we know.
some how I doubt the first exploit to be written for this bug will be targeting linux.
How we know is more important than what we know.
this was hardly a case of a strcpy into a stack buffer. Read the article. This was not the kind of buffer overflow that could be fixed with a library. Indeed, a language that did bounds checking on arrays (and completely didn't support pointers) could have avoided this problem, but I'm not sure that it would.
How we know is more important than what we know.
- Progams are written in C, which doesn't like to do bounds checking
- Programmers turn off bounds checking, because it slows things down too much
- It's too difficult to do bounds checking code that works cross-platform
- Bounds checking isn't a language feature, it belongs in the OS
- Because OS designs tend to be flat, non-object-oriented, this will be a problem forever
- Mike... you just don't have a clue... the real reason involves Natalie Portman, Nudity, and Hot Grits
Well... what's up? Why have I never had this problem with my stuff? I do my programming in Delphi under Windows.--Mike--
You haven't started one comment on this whole page with a capital letter. Most people begin sentences with capital letters, even you do for the rest of your sentences. Please explain yourself.
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Perhaps you should write your website in HTML like all proper websites instead of depending on a tool designed for Mac-using arty farty twats who can't code properly.
But I don't think the original poster was giving tips on how to make a marketable website. He was giving tips on how to make a quality site with good, clear, easy to find content. Unfortunately there's a huge difference. :-(
kugano
So, from the fact that Neal mentions running it on Linux, I'm pretty sure he means the regular Flash player is vulnerable... but how about the other Shockwave plugin - the one that plays both Flash and Director files? Since he only refers to crashing it with SWF files, it's not clear to me whether he means the other plugin is vulnerable - and if it is, could it be crashed with a DCR file?
The researcher gave Macromedia seven months to patch this before posting to bugtraq. I just goes to prove, if proof is still needed, that commercial vendors will not fix holes until they are being exploited on a massive scale.
Yes, I know there are some shining exceptions. But I think that generally, unless a company has a clear track record of working with outsiders to fix holes in a timely fashion, anybody discovering an exploit should post it to bugtraq immediately. Vendors like Macromedia don't deserve the courtesy of advance notification, especially when it leaves huge numbers of machines vulnerable for months.
Ah yes, the drooling morons theory, commonly held by cynical techies. The problem is I have yet to meet one of these drooling morons. The non-tech savvy people I've seen surfing the web are easily confused and intimidated by complex, flashing, javascript-infested sites. They like simple fast sites like Yahoo, and above all sites that make them feel in control.
I agree there is some delta between the geeks and the normals - the normals seem to like one chunk of info per page, with clear navigation to access sibling, parent and child chunks of info. The geeks like lots of info on a page so they don't have to interrupt their info uptake for a page load.
Yes, that's obviously the perception of the decision-makers, but are the decision-makers right? We've just seen the death of many e-commerce sites built with that 'noisy flashy junky' philosophy, and while their business models certainly contributed, I think the sites actively drove users away. For example, boo.com must be the most extreme case of 'commerce-as-entertainment' and for a brief period after their launch, it seemed that everyone would have to 'catch up' to their 'immersive' web site. Then, of course, they failed miserably. I never managed to see their site - some combination of netscape crashing, slow connections and server-side flakiness.
Who survived the e-commerce bloodbath? Amazon comes to mind - flashy perhaps, but info-rich with reviews and easy searching.
It's worth remembering that most attempts to "cash in on those knee-jerk, primitive instincts" ended up losing money. Maybe people aren't as primitive as merchants think.
I'd like a smarter lynx, that could among other things collapse these navbars into something like a listbox, so it would become only one element to skip past when you don't want it.
Re the unfriendly frameset issue, I wish designers would use something like:
I think the invitation to upgrade your browser is a poor idea because most people running a non-frames browser in 2001 are probably doing it on purpose, and there's no sense driving visitors away to do some other task, after which they'll probably forget to come back.
Generically, that describes any buffer overflow exploit that hasn't been perfected yet. If a program has a buffer 100 bytes long with no checking, and I feed it a 10M string, it will almost certainly crash. My string will have overwritten part of the program with instructions the CPU probably doesn't like. With enough work, I can design a string that puts some properly written machine language in a location the program will call or jump to. Thus, I can execute arbitrary code with the same privileges as the program.
Actually, userspace processes cannot write to hardware. That's part of what it means for '386 and up chips to enter protected mode which is the mode in which linux runs. All of Unix security would be worthless if users could perform sector-level writes to the hard disk.
Not to mention that for most things crackers want to do with your small linux box, user privs are not required. The logical exploit would be a small program that daemonizes itself and changes $0 to something already prevalent in your process table like 'xterm -bg black -fg green'. Then the daemon would fire off a udp packet to evil hq summarizing the latest capture and do a 'stealth bind' to a high-numbered port, awaiting commands from it's dark master. Then your box is ready to be used as a DOS amplifier or an anonymizing springboard for various attacks. Given how linux users pride themselves on their uptime, the process could be around for quite a while.
I'm just kind of wondering why Macromedia seemed to blow this off. Specifically does anyone have any word from Macromedia on this?
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
Not that it invalidates any of the points made, though...
sig not found
Rich
anything that says UNDER CONSTRUCTION
What if the site is about something else that's under construction, such as a software package? What would a building construction company do?
clear 1X1 pixel gifs used for spacing with alt tags that say "spacer"
I agree here. Ditch the spacers except in Netscape 4.x which can't render CSS; even then, a spacer's alt tag should be alt=""
don't use javascript to display text
How do you generate dynamic content if you aren't paying big bux0r$$$ for access to a cgi-bin folder? The only way is through client-side EcmaScript or Java technology.
websites that play music
So are you saying that web-based interfaces to the Napster service are unacceptable? Sometimes, the music is the content, but I see your point when the music is there just for flashturbation[?].
websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
Even piece-of-crash Nutscrape 4.x?
more than one animated gif on a page
I agree here. Animation should be used with moderation; even then, it should be done using PNGs and EcmaScript (or MNGs in 6.0 browsers), not GIFs.
I'd like to add one more: right-click traps[?]. See also the Right-Click Trap Shit List.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
I've tried to send complaints to some of these folks. Usually they don't have a feedback link. When they do, they never care that the page doesn't work. I usually send an email when the site doesn't work with javascript disabled. Often times it's just a pull-down list that jumps you to a certain part of the site automatically, and lacks a little "go" button next to it.
They could not care less. When they do respond, it's usually "Javascript is required". One of the really good recent examples I recall is the search page at iwon.com. If javascript is disabled, you get a blank page with only their logo in the corner. They didn't seem to care when I mentioned that every other search engine/portal works without javascript. If you're up for a challenge, try poking around at iwon.com's site to find an email address or feedback entry page. They obviously don't want to hear from their users.
PJRC: Electronic Projects, 8051 Microcontroller Tools
PointlessGames.com -- Go waste some time.
MassMOG.com -- Visit the site; Use the word.
The player doesn't look like it is being actively developed, though maybe someone out there is interested?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
See, this is why buffer overflows are common. People make mistakes on the end of the buffer. A 100 byte line will cause the overflow (\0 on the end)
For things like PGP keys, you can issue a 'revocation certificate.' This is something that's generated from the private key and a user can look at it, look at your public key and see that indeed, you made the certificate and intend to say that "this key should no longer be used."
For all practical purposes, without the private key it's impossible to forge such a certificate, in the same way that it's practically impossible to go backwards from a public key to the private one (without the resources of, say, the NSA or distributed.net).
Given that with things like Windows and Flash, it seems inevietable that these programs are going to make contact with their makers occasionally (be it to check for updates, download banner ads, espionage or whatever), why not allow the parent site to send out a revocation certificate? If the software is designed to check for a certificate and refuse to function, then what might happen in this scenario is within the next few days, all Flash users receive a popup the next time they run Flash that says
Given that this sort of thing will probably end up happening anyway for other reasons (ie forced obsolescence), why not put it to good use as well?Isn't this unnecessary? I'm under the impression that Flash files get loaded automatically once someone already has the plugin. So all that's really necessary is creating a page that people will go to (porn works well) and placing the flash file in question on it.
Or crackers could place the evil flash file on a popular web site in addition to or in lieu of the general vandalism that takes place.
You can use this problem to "execute arbitrary code stored in the SWF file".
Uh-oh.
Watch out for new Metallica versions of the Camp Chaos cartoons!
"Hey! This is, like, you know, Lars Ulrich from Metallica, and we've got a few choice words on Napster. At this very moment, we're, like, deleting everything with an MP3 extension on, like, your computer. And, like, every filename with the word Napster in it. James learned Linux for you!"
"Linux GOOD! Fire BAD! Napster BAD!"
"Finally, like, we think you hackers and computer nerds that we used to beat up in high school are, like, pretty cool with us, 'cause, like, without you guys, we'd have had no clue, like, no fucking idea, like, how to stop all the money grubbers sharing our stuff with Napster. I mean, we put blood, sweat and motherfucking beers into our music!"
Fire and Meat. Yummy.
You are right, I think windows2000 users who are automatically logged in as "Administrator" should really de-install this player.
--
Trolling using another account since 2005.
I am sorry not to agree with you. :-( ), which is only aimed at *one* browser (e.g. MSIE for Frontpage, NS for NS-editor, etc.).
I have designed dozen of websites and targetted my hand-made code to my test browser.
I actually saw many differences according to the visitor's web browser except in one case : Fresco is a web browser aimed at RiscOS platforms.
Whenever optimizing my code too look properly on it, it usually looked the same on all the popular browsers.
Bottom lines : neither java nor javascript, nor SSL but in this case you can still choose another popular RiscOS browser such as Webster
Maybe there is a need for web developpers to learn to code in standard HTML, especially when I see the crap generated by most HTML-generators (yuk
Finally, Fresco was developped for Oracle's Network Computer, which first prototypes were developped by Acorn.
--
Trolling using another account since 2005.
I'm afraid most windows2000 users are unable to set up this as it requires specific abilities that most of them don't have, as windows targets end-users.
--
Trolling using another account since 2005.
sig:
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
There still may be danger, even if you're running your netscape application as a dummy user. Since you have to grant that user access to your X display, there may be security faults/features in the X server itself to which you're now vulnerable.
X authentication exists for a reason... if you override it, be sure you understand the risks :-)
What do you mean they cut the power? How can they cut the power, man? They're animals!
Lots of free advertising would happen. Sure, many people would be disgusted and uninstall it. But more people yet would now recognise the brand and product name. And Macromedia?? They wouldn't have any penalty imposed on them. Basically a virus distributed through flash would only be of benefit to Macromedia. Look at any of the softwares that have had big viruses distributed through their use and I think you'll find that they are more widely used than they were before.
While the selection for Linux is limited to an old version of the plugin, there is at least one system with NO Flash plugin at all - AIX. I happened to be checking Slashdot on a quick break at work and found this discussion. If I hit one of these Flash sites I get a popup telling me I need a plugin, but then there ain't one. And at home, at least some of the "Flash" sites require the version 5 plugin (not available for Linux), or the "Shockwave" plugin (also not available for Linux).
I agree with the KISS principle of website design. Maybe we'll be lucky - someone will exploit this bug, and then someone will sue Macromedia and they'll go bankrupt and there won't be any more FlashTrash. (Unfortunately if that happened, Micro$quish would buy them out and integrate Flash into Windoze - they could replace the "Active Desktop" with the "Hyperactive Desktop"!!)
Teen Angel - a Ghost Story
...to write a complicated, web-enabled package such as Flash and be sure you've removed every possible security bug from it? Of course not. There's no way to be certain. The chances are, every major Internet product - including IE, Netscape, Flash, will have more bugs exposed in it as time goes on. It's a fact of programming.
Yet another argument for open source software...
A malicious website could say, gather information about a person's computer with an innocent looking form (this would be the nit-wit factor here) and use it to create an on-the-fly generated Flash animation that knows exactly what to do to nit-wit's computer.
Or, with that previous Netscape JVM bug, generate a file-list from the user's computer, and then use the Flash plugin to delete/corrupt the exact location of files. This wouldn't even need the nit-wit factor.
And like, I'm not very smart, so there must be way better ways to mess people up with this.
And have I disabled flash? I'll do it tomorrow...
Jeremy McNaughton
------ Live simply so that others may simply live.
Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?
Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.
err.. you're really lost in thinking that this code is being executed in the data segment but anyways, on x86 there is only READ_EXEC_ONLY, READ_WRITE_EXEC, READ_ONLY or NO_PERMISSIONS. You can't say READ_WRITE_ONLY which is the problem. If you want a data section that is read only then you can have that, but if you want a read/write data section that is not executable, sorry, that's not offered.
How we know is more important than what we know.
so that's what the boys at gabocorp have been doing all along!
those nefarious bastards!
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
No, it is completely NOT necessary with css.
Unless you're selling DVDs, you don't have to worry about CSS issues.
Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter to remove the formatting for those who are behind Nutscrape.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
Many people havn't updated NS from the "Every web browser is a server with JAVA" security hole. So I doubt anyone will care.... :(
The majority of users won't care if there browser has security issues. They have their browser, they may have had it set up for them, or they may just not want to download a newer browser; this, and most other browser security holes will be left open.
The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.
Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?
int getnextnumber(FILE *fp)
{
char line[100];
fgets(line, 200, fp);
return atoi(line);
}
(I may have got the parameters in the wrong order above, don't flame me, it's the principle that I'm trying to describe)
In the above, the programmer has allocated a 100 byte array for input of a number, but has called fgets to read a line of up to 200 characters. So a 101 byte line will overflow the buffer.
With most C compilers on most platforms allocate memory, the same stack is used to store the return address to jump to when the function has completed executing as the data itself. Therefore, a buffer overflow exploit needs to put code in the buffer, work out where that code will be when the function is executed, and overwrite the return address with the address of that code.
It's not easy but a number of factors can help a hacker in this situation, usually that once compiled for a particular platform, on 32 bit platforms at least, the function will normally always appear in the same place in memory, and when the program is running, if you're careful about the conditions underwhich you feed it bad data, you can make a reasonable assessment as to where the stack will be when its called.
The majority of UNIX hacks I've seen on the BugTrac lists are buffer overflow exploits, and from what I recall, they're the major ones the OpenBSD team are constantly on the look out for. So it's a real problem, and assuming the Shockwave overflow is predictable as described above (or requires little overflow anywhere else to overwrite code or a return address), it's credible someone might use it.
So don't run Netscape as root. Unless you're a Windows 9X/Me user of course, where you don't have much choice...
--
You are not alone. This is not normal. None of this is normal.
The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
;),
:P)
Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now!
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash.
IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.
The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.
--K
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
Well after a little searching I found where M$ hides shockwave for IE5.
/dev/null .....
c:\windows\system\macromedia
it's now been sent to
Here's the bugtraq id on securityfocus:
http://www.securityfocus.com/bid/2162
Cheers
There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.
When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.
I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.
[Writer crosses fingers hoping not to be the next person to publish one!]
--
Sheesh, evil *and* a jerk. -- Jade
Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.
/. that said "If I wanted your site to make music, I'd have turned on the radio"
Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.
Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.
My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page
there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.
How we know is more important than what we know.
-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).
-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...
It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--
Trolling using another account since 2005.
-- If no truths are spoken then no lies can hide --
But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.
Oh well, my favorite resource has some more information here