Slashdot Mirror
Flash Vulnerabilities Affect Thousands of Sites
An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."
Quoth the headline: "that's the price to pay for depending on proprietary solutions..."
There are open source implementations of the Flash protocol; I'm running Gnash as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
It burns a lot of CPU time, uses a lot of bandwidth, crashes browsers, and - not for the first time - has serious security issues.
On Firefox, there's an extension called Flashblock. It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.
In IE7, you can double-click a spot in the status bar (third box, right to left, of the boxes just to the left of the security zone indicator (the thing that usually says Internet)) or open the Add-on Manager from Tools in the command bar or menu bar, and disable or enable the Flash ActiveX control. This will globally enable or disable flash, but doesn't take effect on a given page until that page is refreshed. Alternatively, the third-party add-on IE7Pro has applet-by-applet flash blocking.
I realize that some sites need it, and on those there's nothing you can do about this problem except hope Adobe updates their software ASAP. For everywhere else though, do yourself a favor and block it.
There's no place I could be, since I've found Serenity...
The vulnerability is in the proprietary flash player. It is easily exploited using files produced by third party tools.
"To those who are overly cautious, everything is impossible. "
You can say the same about Java, Javascript, Ruby, Python, browsers in general. Just revert back to using lynx I guess, but that had a remote hole as well! Actually 2 remove holes,
http://secunia.com/advisories/17372/
http://secunia.com/advisories/17216/
That is with just a text-only browser.
So, should we go back to using
echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80
Kinda sucks!
Clearly one of the answers is to limit the browser to sub-user access. I think that is what Vista tells us is happening there. Debian doesn't do that by default. But then I'm not sure how easy it would be to limit iceweasel (firefox) to not executable stuff except known plugins, etc...
As for the solution to problems like this, it is clearly the client that needs patching!! A client needs to handle ALL cases without allowing someone to compromise information, etc.
There is a balance between security and usability. You can't have both perfect at the same time.
From what little I can get from the article this seems like just another cross site scripting attack.
Although this can "help" an attacker steal information the end user still has to click a link provided by the attacker that tricks the user into thinking they are on someone elses site and seeing content that site generated.
Cross site scripting attacks are not to laughed off, but they do tend to get over exagerated. When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password.
People could just as easily fall for attacks like this that don't even change the URL. Not to mention that this has to upload the payload to a server. Meaning you can steal people's information, but it has to go to an IP somewhere. Maybe if law enforcement would get off their behinds and go after this f'ers it wouldn't be such a big issue.
All the anti-flash posts need to get down voted. I could easily say that Jscript sucks because of all the various security issues it has had over the years, but it isn't useful or productive. Flash is what flash is...you don't like it...don't install it and shutup and let the rest of us use it.
Howdy... I'm actually one of the contributors to the book. We have been working with Adobe and CERT for a while on this issue, and we felt that as much time as is reasonable had elapsed since the initial reporting. The disclosure of security vulnerabilities is always a complicated ethical issue, and you have to weigh the public's right to know with the possibility that a speedy fix may reduce the overall damage from disclosure. Even with several months of work, "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.
A more formal vulnerability report is being co-ordinated with CERT and should be out soon with the details of the issues.
Change is certain; progress is not obligatory.
One major issue with Flash is its ability to insert scripts into the actual page.
Say I want to read your email. I send you an email with a Flash animation in it. You read it and your webmail verifies there's no dangerous scripts in my email - but it's much harder to verify my Flash I sent you is safe. Which I'm counting on because I've put code in that creates a script tag in the webpage, downloads my dangerous script, and sends me your cookies. Now I can read your email.
Flash has been getting a free pass on security for a long time. Time for things to tighten up on the web viewer more widely installed than Internet Explorer.
I'm so tired of Flash rants I could puke a big steaming puddle of CSS. Flash is bad because bad designers use it to make bad websites...yet bad designers make crappy HTML sites all the time. Flash is bad because it crashes the browser...yet Java (or whatever the latest buggy cross-platform solution of the moment is) is the second coming despite it's chronic habit of doing the same thing. Flash is bad because it's proprietary...except that it isn't: the SWF file format was open-sourced a long time ago. Flash is bad because it isn't search engine friendly...yet one of the most popular websites in the world used it to reinvent how we experience video on the web. SVG is better, for reasons only geeks can appreciate...but no one supports it, so who cares?
In my opinion, every web technology sucks pretty mightily, for one reason or another. They are either abused by malevolent advertisers or 13 year olds, not supported uniformly by all platforms or browsers, and are a pain in the ass to design with. Dynamic HTML is a bad joke. Javascript invented pop-up hell. And praise CSS all you like, it's a strategy only a programmer could love. You can't center things reliably with it no matter how many hoops you jump through. That's something even HTML 1.0 could manage.
My own clients LOVE Flash sites. They insist on them. They want animations, and sound, and websites that look the same in every browser. (Flash's ability to proportionately scale content to the window is a thing of beauty, and one of the most underused talents of the plug-in. Why some Flash designers insist on manipulating the window size instead is beyond me) The only people who don't love Flash sites are other programmers. And I'm more than happy to take their business.
Hating Flash for bad Flash sites is like hating scientists for making gunpowder possible. Live in a teepee or run a casino...your choice.