Slashdot Mirror
Adobe Flash Exploit Could Log Keystrokes
Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."
If you don't trust adobe you could always install the open source Flash plugin swfdec. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.
Think of the Children; Sleep with your Sister
Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?
I believe the buttons on the Wiimote map to a few keys (for use in Flash games) and the pointer just picks up as a mouse. That's about it.
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.
It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.
Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.
This isn't a bug in the latest flash plugin... only older ones.
I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.
------ The best brain training is now totally free : )
Adobe Flash exploit could log keystrokes, 62028443,00.htm
By Dawn Kawamoto, CNET News.com
16/07/2007
URL: http://www.zdnetasia.com/news/security/0,39044215
Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.
Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory from Secunia. Attackers, as a result, can gain remote access to a user's system.
In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.
Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referrer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.
Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.
Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.
--
For Your Flash-Based Safety
Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")
In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.
Javascript + Nintendo DSi = DSiCade
There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.
Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page and let us choose to go to the homepage ourselves rather than fight with sf.net.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Sorry a Flash-what ?
Oh, it must be one of those things we are missing, as users of :
Adblock plugin (stops ads, be it Flash, Javascript or plain pictures)
Adblock+ plugin (fork with different features but similar purpose)
Adblock Filterset.G updater plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)
or NoScript> plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
FlashBlock plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),
or Gnash GPL Flash player (GNU page) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
SWFDec GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
or not installing a Flash player at all and using SaveTube to watch flashvideos.
I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
see here: http://www.macromedia.com/software/flash/about/
The problem with linking to the sf.net page is that Swfdec is no longer hosted on Sourceforge and you cannot remove projects from Sourceforge. The correct link with all the hot working stuff (including Youtube video playback) is on http://swfdec.freedesktop.org/ . You will probably not get any of the new hotness from the stuff hosted on Sourceforge.
And thanks for pimping my work,
Benjamin