Flash Vulnerabilities Affect Thousands of Sites

An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."

The price comes in..

[Junta]

With respect to the "No patch in sight from Adobe" part, of course. If such a flaw was discovered by security researchers in firefox, they could do better than merely report the problem, it is within their power to correct the code and issue a third party patch/update if mainstream won't act. The vulnerability may not intrinsically be due to the proprietary nature (though external code audits might arguably occur to help, but I wouldn't guarantee it), but solving those problems cannot be done in a proprietary system except by the vendor.

The community might ignore such a patch, and it might not even happen that often, but if things were generally dire enough in a projects mainstream, a new leadership could fork the project and that is not unheard of in projects. Of course, it's common for distributions to apply security updates to their packages before upstream merges them, so it isn't *that* strange.

Not related to security, but the current version of the flash plugin, for example, breaks compatibility with linux opera and konqueror due to Xembed, and packagers hands are kind of tied in terms of what to do about it. Of course, can also point out the ATI drivers, which suffer greatly from problems and are dealt with in a way that doesn't work.

Re:The price comes in..

[Blakey+Rat]

Say for example there was an open-source solution to do Flash-like animation and multimedia on websites (there isn't.) Let's call it Gnash.

Now let's say that Gnash works approximately like Flash does; do you your design in a 'source' file called a .gla which you then compile into a 'runtime' file called a .gwf. And version 5.0 of Gnash is buggy in such a way that .gwf files have a security vulnerability, based off legitimate Gnash features (so that the Gnash runtime can't just blanket disable the feature that causes the vulnerability). The only way to fix this problem is to individually inspect every .gwf file to see if they use the functions in question.

Furthermore, let's say for argument's sake that Gnash is hugely popular and millions of these .gwf files exist on the web, some on sites that no longer have access to the original .gla files.

How would the fictional Gnash open-source solution be any different or better than the proprietary Flash solution? Show your work.

All of this, of course, is assuming that there is an open source package that does what Flash does, and there isn't. So if you really think open source is really all that superior, why don't you make open source versions of things that people obviously want? Like Flash, for instance. Instead of just complaining that the proprietary solutions suck.

Flash: FAIL: (yes, it's worse than the blink tag)

[Tragek]

Flash fails worse than the blink tag. It feels like a system hacked on top of a system of broken systems. It's the single most frustrating "feature" to hit the web since the blink tag. To me, flash can be used in one of three ways, in decreasing amounts of popularity:

1) It provides a mechanism for young impressionable web designers to splatter their so called design spunk all over my screen in one gigantic wank-off-fest. Usually, resulting in pages that are so unusably bad, I can't begin to fathom how they were even passed by a blind retarded monkey, which should have said "FUCK OFF, you dumb twat, get a new pair of eyeballs!'

2) It provides a mechanism for young impressionable web programmers to splatter their so called programming spunk all over my processor in a gigantic waste of cycles, providing a service that's been done before, and done better by other plugins, by other desktop apps, by other non-retards.

3) It provides a mechanism for a few savants to create brilliant web pages, and applications by a minimal, or appropriate application of flash, in a way that is visually appealing, technologically sound, and generally couldn't be done better by something else, popularly available.

I see the first all the time. I'm forced to endure the second often, whenever a "COOL VIDEO" comes from friends, on youtube, and the third, I rarely notice.... because good design with flash fades into the background.

Of course, I'm not going to lie: I'm biased, because flash sucks gigantic testicles on the Mac.

Re:Preference

[piojo]

Anyone who thinks having videos as flvs will keep the majority of people from "stealing" content clearly hasn't done a search for "save flv" on google. I'm certain that 90% of youtube users don't even know what a .flv is, let alone that they can be saved. Saving them even gives me trouble, and I've written screen scrapers and a (dysfunctional) web spider. Then again, I don't use flash sites enough to know what the proper ripping tools are, and I use Linux, so the proper tools may not exist for me.

Re:A lot of the vulnerable Flash is THIRD PARTY

[FLEB]

Unless the Reg article is being misleading, it doesn't look like much more than "XSS is possible in Flash apps". If that's the case, it's less a case of a "vulnerability" as Flash giving developers a hammer, and the devs bashing in their own fingers with it. As in JavaScript, as in PHP, as in CGI, as in any language that accepts input from outside-- never trust the input!

Or am I missing something?

Re:Preference

[Domstersch]

Forget "power" ripping tools; they all seem to just come down to a regex through the source, pre-set for a given handful of sites. So, they break as soon as a site updates their page layout, and just plain don't work on other, more obscure, sites.

The best way I've found is to just open up Firebug to the 'Net' tab (looks like this), and look for the biggest request listed. This works because the browser has to make the request for the video at some point, even if that request is obfuscated in the source, occurs in Javascript, doesn't end in .flv, and so on. From there, it's just a right-click, and "Copy Location".

To hell with Flash anyway...

[BrokenHalo]

I believe most Flash is done wrong simply because the site designers value form over content.

Useful or pertinent information (if it is manifest at all) usually has the appearance of being inserted as an afterthought. That's why the sites I visit most often tend to be based primarily on simple markup such as HTML, which despite its various drawbacks is at least easy to maintain (and therefore more likely to be maintained), and does not have the noli-me-tangere character of a cast-bronze SWF presentation.

I apologise for coming across as a luddite, but it is distinctly tiresome to be subject to the whim of some mentally adolescent graphics designer poking glitzy, time-consuming displays in my eye rather than allowing the information I'm looking for to be easily found. Which is why I think Flashblock is the best thing since unsliced bread.