Slashdot Mirror
Adobe Flash Exploit Could Log Keystrokes
Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."
...and TFA has a Flash ad...
- Get an extremely accurate analysis of your words per minute in typing.
- Search through the log and double check that you correctly entered all of your banking account numbers, credit card and personal information on all of your internet forms.
- Do searches on the log to see if you ever accidentally typed "teh" and how many times that happened.
- Compare your Letter Frequency to the standard featured in Edgar Alan Poe's The Gold Bug
As you can see, there are many fun & great things that one can do with the potential of these new key logging features.</sarcasm>
My work here is dung.
Wii, what kind of keystrokes would that record?
Time to update Adobe Updater so it can download the new updates!
d ater.gif
http://www.agavegroup.com/images/articles/adobeUp
If you don't trust adobe you could always install the open source Flash plugin swfdec. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.
Think of the Children; Sleep with your Sister
Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?
Flash doesn't run on all platforms, it doesn't even run on x86-64. Not that I'd ever install it if it did.
Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.
It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.
Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.
So I have a Flash player that acts as a plugin in my browser, right? Or is it called a Shockwave Flash player? No wait it's called "Adobe Flash Player", but I can't seem to find a version number, so I can't tell if I'm vulnerable.
So what the hell was "Shockwave", then? How is it different from "Flash" and is "Shockwave" vulnerable too?
Whoever was in charge of branding this crap should be bulldozed into a septic system.
You know, to be fair to Flash, I have to say that it's an incredibly well-written application overall. It's very small to download and it works very well. Heck, they actually made video consistently work on the Internet! I think you can make an argument that they are solely responsible for making video sites like YouTube viable. All video STILL sucks except for Flash.
Of course, the quality of Flash is a different question from how it's abused. :) [personally, I don't mind Flash all that much.]
Sometimes it's best to just let stupid people be stupid.
But what about spam? I know that most of us here wouldn't click the link. But I've seen spam that was supposed to be from bluemountain that had this exploit in it. Of course the headers told a different story (it originated in Poland), but my point is that you've got the usual gang of idiots that will click any link in an email if they think "Oooo, Mom send me another e-card".
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
You know, back in the old days we only had linear keystrokes, and they worked fine for us. Now it's all about the log keystrokes with the kids these days.
World's going to hell.
This isn't a bug in the latest flash plugin... only older ones.
I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.
------ The best brain training is now totally free : )
Adobe Flash exploit could log keystrokes, 62028443,00.htm
By Dawn Kawamoto, CNET News.com
16/07/2007
URL: http://www.zdnetasia.com/news/security/0,39044215
Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.
Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory from Secunia. Attackers, as a result, can gain remote access to a user's system.
In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.
Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referrer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.
Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.
Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.
--
For Your Flash-Based Safety
the verb to use is "infect"!
However, for all other cases, the verb should be "affect"
Down left down down space space right up space space space space esc
Not that this security hole has much at all to do with it, but I strongly believe in positive thinking.
Maybe if we all chant, they will hear us.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
It is pitch black. You are likely to be eaten by a grue.
Maybe it's my hang-over, but linking to a flash embedded page (as mentioned above) and having to click again to get to the fix is annoying. /bitch
We don't allow people to install Flash on their systems here at work but we do provide the ActiveX component to run Flash. Is it affected as well? The article doesn't say.
Personally, I don't run Flash. Time and again it has been shown to be a security risk and these new developments only strengthen that perception.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page and let us choose to go to the homepage ourselves rather than fight with sf.net.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Does Anybody know if the 64 bit Linux version is also affected?
Oh wait...
MvE
Load New Commander (Y/N)?
but does it effect gnash?
This is very interesting. Like the Java clones before it, this project (swfdec), and gnash show how popular closed source projects have their own way of encouraging something similar to the dreaded "forking" that corporations fear so much. What's interesting about Java is that opening the source seems to have reversed that trend, and we now see some attempts to unify the many Java code bases.
I wonder if Adobe will figure that out, and open up Flash Player some more.
http://www.unfocus.com/
of completely missing the joke, dipstick. And since you chose to be ignorant and flame, I'm not even going to explain it to you. Maybe you could ask one of your classmates on the short bus to explain it.
It was a wise choice for you to post AC, though - only you will know the true identity of the really stupid guy that wrote comment #19877643.
threaten 'virtually everything'?
There are some issues with Flash video on Mozilla 1.7 on Sparc, which do not occur with Firefox on Sparc.
Nowadays I'm surprised how many tracking gadgets are embedded on otherwise ordinary looking pages and I'm sure to clean out my macromedia shared object folder form time to time...
The nice thing about flashblock is the ease with which I can play flash games and watch youtube videos -- when I'm in the mood to click through. Personally, I think something like this should be standard ... not a plugin. Flash usually scares me.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Sorry a Flash-what ?
Oh, it must be one of those things we are missing, as users of :
Adblock plugin (stops ads, be it Flash, Javascript or plain pictures)
Adblock+ plugin (fork with different features but similar purpose)
Adblock Filterset.G updater plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)
or NoScript> plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
FlashBlock plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),
or Gnash GPL Flash player (GNU page) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
SWFDec GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
or not installing a Flash player at all and using SaveTube to watch flashvideos.
I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Just change to Microsoft's Silverlight. It's better in everyway.
http://www.adobe.com/shockwave/download/download.c gi?P1_Prod_Version=ShockwaveFlash.
And I'm not having any luck finding anywhere at tells me what version of the plugin (ActiveX Control?) I'm currently running, so now I have to walk to each and every machine in the domain and install the latest manually.
You suck, Adobe.
an open-source project which develops a Flashplayer which can be run stand-alone, be swallowed inside web browser using appropriate plug-ins, or integrated in bigger project using extensions. Supports OpenGL and Cairo as hardware accelerated renderer. Also, has an option not to auto-start playing the flash crapnimations.
an open-source library for decoding flash, which also comes with a browser plugin.
They are good alternative to Flash to consider. Unlike the official crap from Adobe, you can recompile them in 64bits for modern systems. They don't play all possible flash yet, but you could use them for some situations. For other situation you can always try to copy and paste the URL into the adobe standalone payer.
It seems the development of alternatives is well underway. The only thing that we need to fight is the stupid clause in the license that forbids using the documentation to design players. I'm sure there are several place where it could be considered an abuse of monopoly, specially here in Europe.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If they have a keylogger, those hackers will know that I go to hot-llama-on-marsupial.com
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
More accurate would be "Adobe Issues Fixes For Flash Exploit That Could Log Keystrokes"...
Headline implies that exploits were just found and still exist. Not so.
At a time when everything, including your fridge, strives to be web-enabled, I think not taking into account portability when designing a piece of code which the company hopes will take over the world as the standard format for interactive content, is a clear demonstration of short-sightness and bad design.
Also, there are no rational argument why a well designed piece of code couldn't be successfully just recompiled into 64bits.
Either at some points it makes assumption about the data-format of integers, but fails to declares precisely what it needs (declaring variable with plain C "int" instead of using some special typedef "uint32" or something similar) which is bad design (never make assumption that you don't enfore. Either accept whatever format comes, or force a specific format and let the compilation fails if it's not possible on the target).
Or perhaps the code is a gordian knot of hacks that cannot be easily fixed or circumvented for 64bits platforms, which defies the definition of "well written code".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I always thought .swf stood for "Some Weird File"
Also note that Flash Player 9.0.47 is the current version on windows. I didn't dig deep enough to figure out if the new version resolves the key logging issue however.
But at least the linux version number is higher that the others. This is as it should be. Develop for linux first then port to the less important OSs.s -selling-solar.html
--
Rent solar power with no installation cost: http://mdsolar.blogspot.com/2007/01/slashdot-user
Actually he typed it at 159/5, or about 32 WPM. (Story posted at 11:55; he posted at 12:00).
:p
You, on the other hand, spent 5 minutes writing that one sentence. How much of that did you spend typing, and how much did you spend thinking?
The good news: Adobe makes Flash players for Linux and Solaris.
The bad news: the keylogger bug on certain old Flash players (the one most of you seem the most worried about) is specific to the Linux and Solaris models. Windows and MacOS/OSX only got the other bugs.
There is a fine line between recklessness and courage... -- Paul McCartney
Have you read the fine article?
If Adobe is openly fixing security holes, then there likely were security holes.
There is a fine line between recklessness and courage... -- Paul McCartney
The Windows vs. don't appear to be affected by keyloggers, either.
There is a fine line between recklessness and courage... -- Paul McCartney
see here: http://www.macromedia.com/software/flash/about/
"Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes."
Thank you!
This link should be added to the main article.
Flash is a monopoly. More or less. But it's a monopoly that doeshn't suck as much as IE. In fact, I'm sure, as soon as a product shows up that is better than Flash, Flash will use marketshare inmediately. Flash gained it's position because it really *is* the best solution at hand for the stuff it's used for.
But as it's still the single most widespread plattform on the end-user internet available and the only MM plattform that runs on all major deskstop OSes it will remain at the top. And for good reasons too. No matter how much they screw around with the IDE.
Java actually is the only true potential competitor to date. But Sun have never show any effort beyond 2 man projects to really make inroads in the rich client / rich media internet. I really whish they would, now that Java is GPLd, but I don't think it will happen, no matter how much they anounce yet another Java MM initiative. The new JavaFX looks like a revamped JMF and has a little more oomph to it than the last attempt, but let's just wait and see how long that lasts. I'm not holding my breath just yet.
We suffer more in our imagination than in reality. - Seneca
I'm not surprised to see that there is little or no coverage on slashdot about this detail. I realize that the flash player isn't linux, but it's on linux. So, both of the linux flash users will have to update their plugins.
Seriously, it goes to show that all platforms will have their problems. Regardless of the underlying OS, there are always twinkie-apps written by some twinkie-eating-developer.
Please, no flamebait, no off-topic, and no OS religious wars (they all suck).
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
It looks like the version of the flashplayer that is in Beta is allowing for hardware rendering as the default rendering method and software rendering as a backup method. For more info look here http://labs.adobe.com/technologies/flashplayer9/re leasenotes.html#known
Okay people it's time we started seriously contributing to the Gnash project so people who want flash content have some alternative to run it on.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
So PowerPC Linux could be the most secure platform? (No Adobe Flash)
*ducks*
If we are speaking of technologies OTHER than flash, we may also mention SVG which can be scripted for animations.
Either using a simple XML extension like SMIL for timing an animation (and producing something like old versions of Flash or vector equivalent of
or going for a Turing-complete language and use scripting like JavaScript with DOM (see the SVG Tetris).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Flash doesn't appear to automatically update itself. Fortunately, it does have an Automatic Notification system (go to http://www.macromedia.com/support/documentation/e
So currently I'm running a rather old version - 9.0.28.0.
If a lot of people, like me, haven't received a notification yet, they are also likely to be running older versions. This could mean that there are significant numbers of vulnerable machines.
Could you please post a link to your bug & patch ?
I might be interesting.
Thank you a lot.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
...like a sieve and crashes if you dare use tabbed browsing too much, I'm not too amazed that there would be other major security flaws. I already suspect that half of the flash things on the web are spying on me in some form anyway.
"Prepare for a pride-obliterating bitch slap" - Ignignot
You're welcome.
Adblocks works by stoping access to external objects. Any object : <img>, <embed>, <object>, <script>, <frame>, <iframe>, etc.
Think of it as an upgraded "Block images from".
Almost any web site stores ads as an external object that is included in the page (using an <iFrame> or an <object>) so most of the thing that is part of the ad is gone (as opposed to ads directly integrated into the webpage code, like text ads on Damnsmall Linux).
About the code of the layouts it self :
- 90% of the web site I encounter either put the ad-holding tag directly in the top level of the page (like google script which generate themeselves any container they may need), or put it into a <div> construct with unspecified with and height. In those situations, once the inner <iframe> (or whatever) is supressed, the <div> becomes empty and collapse to a 0x0 size. Most ads aren't visible anymore after removal.
- in 05% of the situations, the ad is put into a <div> that packs together the ad itself with a text like "Advertisement
- the last 05% of cases are <div> containers that have some size forced to them (using styles). In that case, the <div> doesn't collapse when empty but keeps the size that is specified in its width/height attribs. This is the only case where some place holder is left. I didn't bother removing them, but I think either some local CSS that overrides the website and downsize the ad-containing DIV to 0x0 size, or some more complexe RegExp could do the job.
But in general, Adblock is a nice experience where you don't see anything from the ads anymore in most cases.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The problem with linking to the sf.net page is that Swfdec is no longer hosted on Sourceforge and you cannot remove projects from Sourceforge. The correct link with all the hot working stuff (including Youtube video playback) is on http://swfdec.freedesktop.org/ . You will probably not get any of the new hotness from the stuff hosted on Sourceforge.
And thanks for pimping my work,
Benjamin