Slashdot Mirror
Buffer Overflow In All Shockwave Players
drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF
file"."
The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
;),
:P)
Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now!
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash.
IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.
The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.
--K
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
Well after a little searching I found where M$ hides shockwave for IE5.
/dev/null .....
c:\windows\system\macromedia
it's now been sent to
Here's the bugtraq id on securityfocus:
http://www.securityfocus.com/bid/2162
Cheers
There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.
When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.
I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.
[Writer crosses fingers hoping not to be the next person to publish one!]
--
Sheesh, evil *and* a jerk. -- Jade
Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.
/. that said "If I wanted your site to make music, I'd have turned on the radio"
Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.
Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.
My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page
there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.
How we know is more important than what we know.
-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).
-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...
It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--
Trolling using another account since 2005.
-- If no truths are spoken then no lies can hide --
But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.
Oh well, my favorite resource has some more information here