Slashdot Mirror
Flash Vulnerabilities Affect Thousands of Sites
An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."
Quoth the headline: "that's the price to pay for depending on proprietary solutions..."
There are open source implementations of the Flash protocol; I'm running Gnash as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
...how does the fact that Flash is proprietary affect it's vulnerability? As in "that's the price you pay..."???
:)
I don't get that part.
But I am crossing my fingers that this will help move designers away from using it.
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
And why do we give a fuck?
As if you have the same flexibility with HTML, CSS and PHP. Oh, wait. That doesn't matter, as long as you jump on the anti-Flash bandwaggon, logic doesn't need to be present.
Suck my flashy dick.
Posting as AC 'cause the mods can't handle the truth.
It burns a lot of CPU time, uses a lot of bandwidth, crashes browsers, and - not for the first time - has serious security issues.
On Firefox, there's an extension called Flashblock. It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.
In IE7, you can double-click a spot in the status bar (third box, right to left, of the boxes just to the left of the security zone indicator (the thing that usually says Internet)) or open the Add-on Manager from Tools in the command bar or menu bar, and disable or enable the Flash ActiveX control. This will globally enable or disable flash, but doesn't take effect on a given page until that page is refreshed. Alternatively, the third-party add-on IE7Pro has applet-by-applet flash blocking.
I realize that some sites need it, and on those there's nothing you can do about this problem except hope Adobe updates their software ASAP. For everywhere else though, do yourself a favor and block it.
There's no place I could be, since I've found Serenity...
Flash done right can be extremely useful, as a tool for adding a dynamic interface to a site. Unfortunately, Flash is (in my opinion) usually done horribly wrong, and implemented in a manner that doesn't give site visitors any alternate means of using the site. I've seen good implementations where Flash was used only for a particular application, and the rest of the site was done in standard-compliant HTML/CSS. I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
The parent post actually stated what I really wanted to say, instead of my polite reply post below. Someone please mod it up, if only as funny :).
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.
The vulnerability is in the proprietary flash player. It is easily exploited using files produced by third party tools.
"To those who are overly cautious, everything is impossible. "
What file format do you use for videos?
now we need to go OSS in diesel cars
/. delives proprietary flash content to us via a proprietary ad network. Does that make /. evil too?
Why was the book released before the patch? "The vulnerabilities are laid out in the book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. It is due to hit store shelves soon, but is already in the hands of many security professionals. The book's authors, who work for penetration testing firm iSEC Partners as well as for Google, say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites." "The authors have been working since the summer with Adobe, the developer of Flash, and the United States Computer Emergency Readiness Team to coordinate a remedy. But so far there is no estimate when patches may be released. A security update Adobe released this week for its Flash player doesn't fix the vulnerabilities, Stamos said. Adobe representatives didn't reply to emails seeking comment."
I've RTFA and even the comments, and I still don't understand.
Heise points out that youtube FLV files are generated by youtube from other videos, but seems to leave open the possibility that FLV video files could be malicious in their own right on other sites. Clearly player programs could be malicious (or vulnerable) but what about the videos themselves?
.. paranoid crackpot leftover from the days of Amiga.
Huh? So this is some kind of phishing attack? Exactly how is Flash involved, and what should we be watching out for? (Other than never entering important data into a form we reached by clicking... always good practice.)
With respect to the "No patch in sight from Adobe" part, of course. If such a flaw was discovered by security researchers in firefox, they could do better than merely report the problem, it is within their power to correct the code and issue a third party patch/update if mainstream won't act. The vulnerability may not intrinsically be due to the proprietary nature (though external code audits might arguably occur to help, but I wouldn't guarantee it), but solving those problems cannot be done in a proprietary system except by the vendor.
The community might ignore such a patch, and it might not even happen that often, but if things were generally dire enough in a projects mainstream, a new leadership could fork the project and that is not unheard of in projects. Of course, it's common for distributions to apply security updates to their packages before upstream merges them, so it isn't *that* strange.
Not related to security, but the current version of the flash plugin, for example, breaks compatibility with linux opera and konqueror due to Xembed, and packagers hands are kind of tied in terms of what to do about it. Of course, can also point out the ATI drivers, which suffer greatly from problems and are dealt with in a way that doesn't work.
XML is like violence. If it doesn't solve the problem, use more.
You can say the same about Java, Javascript, Ruby, Python, browsers in general. Just revert back to using lynx I guess, but that had a remote hole as well! Actually 2 remove holes,
http://secunia.com/advisories/17372/
http://secunia.com/advisories/17216/
That is with just a text-only browser.
So, should we go back to using
echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80
Kinda sucks!
Clearly one of the answers is to limit the browser to sub-user access. I think that is what Vista tells us is happening there. Debian doesn't do that by default. But then I'm not sure how easy it would be to limit iceweasel (firefox) to not executable stuff except known plugins, etc...
As for the solution to problems like this, it is clearly the client that needs patching!! A client needs to handle ALL cases without allowing someone to compromise information, etc.
There is a balance between security and usability. You can't have both perfect at the same time.
That was just a simple typo. I have no idea why I wrote Apple. Although I guess I should have previewed.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Depends on what you are trying to achieve, but I would never go with Flash. The only benefit of Flash is that it will keep the majority of users from "stealing" your content by downloading it and saving it to a file. And you also get to code up your own crappy player in it too. If you want it playable on the largest number of devices(what people normally claim is the benefit of Flash), then go with MPEG-1 which will work more places than Flash.
Swish (a sort of dumbed down version of the real flash dev program) used to be able to get flash to execute Javascript by pointing links to "javascript:". Not terribly exploitable, but not exactly expected behavior. The newer versions of the flash player stopped it though.
Flash fails worse than the blink tag. It feels like a system hacked on top of a system of broken systems. It's the single most frustrating "feature" to hit the web since the blink tag. To me, flash can be used in one of three ways, in decreasing amounts of popularity:
1) It provides a mechanism for young impressionable web designers to splatter their so called design spunk all over my screen in one gigantic wank-off-fest. Usually, resulting in pages that are so unusably bad, I can't begin to fathom how they were even passed by a blind retarded monkey, which should have said "FUCK OFF, you dumb twat, get a new pair of eyeballs!'
2) It provides a mechanism for young impressionable web programmers to splatter their so called programming spunk all over my processor in a gigantic waste of cycles, providing a service that's been done before, and done better by other plugins, by other desktop apps, by other non-retards.
3) It provides a mechanism for a few savants to create brilliant web pages, and applications by a minimal, or appropriate application of flash, in a way that is visually appealing, technologically sound, and generally couldn't be done better by something else, popularly available.
I see the first all the time. I'm forced to endure the second often, whenever a "COOL VIDEO" comes from friends, on youtube, and the third, I rarely notice.... because good design with flash fades into the background.
Of course, I'm not going to lie: I'm biased, because flash sucks gigantic testicles on the Mac.
I need some example code. Uh, for my research.
Anyone who thinks having videos as flvs will keep the majority of people from "stealing" content clearly hasn't done a search for "save flv" on google. It's a pity no-one out there coded up an open source flash player though. It would save lots of time and trouble.
Sigs are too short to say anything truly profound so read the above post instead.
... i'm on an amiga.
It doesn't work many times, and it destabilizes the browser, often times causing it to crash on pages that don't even have flash on them.
A cat can't teach a dog to bark.
Unless the Reg article is being misleading, it doesn't look like much more than "XSS is possible in Flash apps". If that's the case, it's less a case of a "vulnerability" as Flash giving developers a hammer, and the devs bashing in their own fingers with it. As in JavaScript, as in PHP, as in CGI, as in any language that accepts input from outside-- never trust the input!
Or am I missing something?
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
the DownloadHelper addon for firefox tends to work fairly well for me, though it gives you a list of the videos in each tab, and being as the names are usually just effectively random alphanumeric strings, it's hard to tell which videos you've downloaded and which you still need to get if you're wanting to grab a bunch of videos at a time.
the online converter at vixy.net also works, though it tends to get flaky at times (cutting off your download in the middle or throwing "invalid video ID" when the url is perfectly fine.) and is slow at best.
upon the advice of my lawyer, i have no sig at this time
From what little I can get from the article this seems like just another cross site scripting attack.
Although this can "help" an attacker steal information the end user still has to click a link provided by the attacker that tricks the user into thinking they are on someone elses site and seeing content that site generated.
Cross site scripting attacks are not to laughed off, but they do tend to get over exagerated. When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password.
People could just as easily fall for attacks like this that don't even change the URL. Not to mention that this has to upload the payload to a server. Meaning you can steal people's information, but it has to go to an IP somewhere. Maybe if law enforcement would get off their behinds and go after this f'ers it wouldn't be such a big issue.
All the anti-flash posts need to get down voted. I could easily say that Jscript sucks because of all the various security issues it has had over the years, but it isn't useful or productive. Flash is what flash is...you don't like it...don't install it and shutup and let the rest of us use it.
Not a fan of flash either, but the one application it is actually good for is the youtube-style video embedding. I prefer flash to the satan-spawned abominations quicktime & windows media player, as the platform support is better, among other things.
Software patents delenda est.
Yes. Try browsing at -1.
To me, flash can be used in one of three ways, in decreasing amounts of popularity:
:)
Nice rant, but you seem to fail to realize that the web, and computer software in general, tend to fall in the same sort of categories. That's just the way it is. Don't forget Sturgeon's Revelation, "90 percent of everything is crud." (Though I believe this estimate to be conservative, and certainly the adjective chosen is much more polite than is usually quoted.)
I'd rather have the possibility of having those few brilliant Flash-based sites/RIAs than to NOT have that ability at all. If you don't like the show, change the channel.
In other words, get over it.
Sigs are too short to say anything truly profound so read the above post instead.
Actually MPEG-1 is not supported natively by IE or Firefox.
I always do, because I don't trust the Slashdot userbase to mod up comments that I'm interested in.
Different strokes for different folks, I guess.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Most flash is done WRONG unfortunately, and most sites either open in a new limited controllable window and / or have a screen area the size of a postage stamp. Flash sucks for many reasons, and this is 2 of them.
http://www.rense.com/general79/wdx1.htm
Most seem to be easy to save... just open up your cache directory, find and copy the file (usually the most recent large file) rename to .avi or whatever, and play. Works fine for me, except for a few of the largest files that don't seem to be cached in the normal way.
I believe that a lot of the animation and interaction functions of Flash could be done in SVG or its ISO-approved, 3d cousin X3D. Obviously, video can't be done in one of those, but there are probably hundreds of video codecs to use that would work better.
Wisdom, knowledge, and truth - found only in one Place.
My feelings about Flash are kind of mixed. On one hand, it's proprietary technology. Specifications have, at some point, been published, but I don't think they are current, and there certainly isn't a full-featured implementation from anyone other than Adobe. This is bad.
On the other hand, looking at what Flash does, and at other technologies that do these things, it seems to me that Flash is clearly technologically superior. I don't know how large the browser plugin is these days, but the one that used to come with Opera used to be very small, and yet provide features that web masters are trying to kludge together with AJAX and whatnot, and for which the W3C has come up with the gargantuan SVG, which has even more elephantine implementations. Flash is the clear winner here.
And then, of course, there is the misuse of Flash for things where Plain Old HTML would be much better. But then again, if Flash were a widely-implemented open standard (rather than a widely-implemented proprietary technology which yet leaves some users in the cold), perhaps such use wouldn't be _mis_use.
So, all in all, I think that Flash would be _great_ if it weren't proprietary...but the fact that it _is_ proprietary is a real obstacle.
Please correct me if I got my facts wrong.
As to the question at hand, I don't know enough detail about the vulnerability myself, however note: Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix. So while I do not understand the technical details, those that do understand believe some sort of player-side sanity checks would be good to mitigate the consequences. In the open-source world, they would be able to construct a proof-of-concept publicly of a 'hardened' flash plugin that may avoid glaring mistakes. He does concede that while a player-side change could mitigate the exposure, the servers must recompile their end to be complete. Could they do it with Gnash? Maybe, if Gnash was even complete enough to even support the features that can be exploited here, which I don't know.
XML is like violence. If it doesn't solve the problem, use more.
I don't really see the value of "Youtube-style video embedding." What's it good for?
Flash Video files are the easiest to pull from a website; I've yet to find an embedded Flash Video file I could not save to disk. I can't say that for QuickTime; a few have eluded me. As for Windows Media, they are by far the most difficult to save to disk; I can't say I've been 100% successful on those.
Got some Flash content you think is safe? Post the url; I'll email the whole thing to you as a self-contained movie file. Guaranteed.
Give me five minutes; Flash is slower to stream than QT or WMV.
Forget "power" ripping tools; they all seem to just come down to a regex through the source, pre-set for a given handful of sites. So, they break as soon as a site updates their page layout, and just plain don't work on other, more obscure, sites.
The best way I've found is to just open up Firebug to the 'Net' tab (looks like this), and look for the biggest request listed. This works because the browser has to make the request for the video at some point, even if that request is obfuscated in the source, occurs in Javascript, doesn't end in .flv, and so on. From there, it's just a right-click, and "Copy Location".
=w=
The value is that it lets you easily embed a video in a page in a way that'll work on 99% of computers.
Slashdot - where whining about luck is the new way to make the world you want.
Offtopic: I've scarier work where entire site was one big BMP image with huge image map slammed on top of it.
You don't know what you don't know.
I don't think preventing downloads was his goal, just getting it to work.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
CSS and Javascript done right could be extremely usefull, ... etc.
New things are always on the horizon
I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.
In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!
Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.
In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.
The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.
Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.
ffmpeg does the trick, converting flv to avi (or whatever you like) with no problems. You can also get the ActionScript out of a .swf with no problems. It doesn't really protect your IP, but then again nothing does.
// MD_Update(&m,buf,j);
Which is just one site that does things in Flash that I certainly _do_ find useful...
My Journal
Sadly, there are enormous amounts of money being made with these annoying, ugly, blinking Flash websites and layer-ads, (mainly) because of the enormous amount of stupidity of designers and their clients. Unfortunately, blinking ads and websites do work, and they attract way more users (i.e. possible customers) than well-designed and appropriately built sites.
;-)
If Flash would be erased, the industry would come up with just another technology to drive sophisticated users nuts. So the only way to deal with this is to gain control over the force of ad-blocking and Flash-blocking contraptions, and if you ever encounter some jerk giving a webapp "more 'boost', a bit of 'zoom' and a little extra 'swoosh'", tell him why everything he's doing is wrong and encourage him to make it better. I'm doing this all the time and I think I may have achieved some progress. There's a better web ahead, and I bet it even can include Flash
condom of the digital age?
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Keep your voice down...
You must be new here... this debate isn't about whether or not the suggested alternatives to Flash are supported or practicable.
It's more to do with people having look at reality and coming to the conclusion that they just don't like or believe certain aspects of it.
Call it a selective disregard for the facts or utter stupidity if you will, but its kinda groovy...
I think that the audio and video functionality of Flash/Flex can and will be replaced by chaz haskins' svg wondershow plugin.
See it's easy! get into it.
Change is certain; progress is not obligatory.
One major issue with Flash is its ability to insert scripts into the actual page.
Say I want to read your email. I send you an email with a Flash animation in it. You read it and your webmail verifies there's no dangerous scripts in my email - but it's much harder to verify my Flash I sent you is safe. Which I'm counting on because I've put code in that creates a script tag in the webpage, downloads my dangerous script, and sends me your cookies. Now I can read your email.
Flash has been getting a free pass on security for a long time. Time for things to tighten up on the web viewer more widely installed than Internet Explorer.
You just named the one codec that WILL look uglier and take up more bandwidth than flash.
"Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I find it odd that the Register article appears under a flash banner and has a flash ad floated inside the content. All this in an article "exposing" the vulnerabilities of flash (swf).
And you've missed the point entirely, the point in flash video isn't to stop people saving them, it's to let people watch them. Many video sites have links to download them.
I don't care about "protection". Youtube has seen to it that there is a de-facto standard which works on 99% our clients' clients' machines. That's the only real consideration.
Software patents delenda est.
Neither is Flash.
Both needs a plugins to work.
The HUGE difference comes from the fact that Flash is only available from 1 single company which produce plugins for only a small handful of platform (except maybe for the open-source Gnash plugin, which already kind of works, but still needs a lot of efforts).
Whereas, MPEG player are available for whatever platform you may think about as long as it has either the processors horsepower or a decoding co-processor. Including your basic 32-bit Windows, but also Linux running on 64bits Sparc or Itanium, PalmOS powered PDA, GSM phones, MP3 players, Less popular or Obscure OSes (Syllable, Haiku, etc.), Console as old as DreamCast (software) or even PlayStation and Saturn (hardware), etc.rr
The only problem is that, given the huge amount of players, some are more crappy than others. And often, pre-assembled computer when bought in big shops comes with a lot of crappy software installed.
But then you have the same problem with Flash with thousand of Flash video player, some much more ugly and inefficient than others. It only shifts the problem of having a good player from the user to the website designer.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
No seriously, the fact that obtaining FLVs give you trouble has to be an exceptional case, considering your credentials as a computer -friendly (at least) person.
Essentia non sunt multiplicanda praeter necessitatem.
In addition to what other /.ers have said, I may also point out savetube.com.
You paste-in the youtube page url, hit the button and get an URL you can either save or copy/paste into some compatible player like VLC.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Wishful thinking ?
Essentia non sunt multiplicanda praeter necessitatem.
You forgot #4. Flash content can be created for off-line use. I make a very comfortable living designing tutorials and simulations in Flash that are self contained and thus aren't exposed to these supposed vulnerabilities.
I'm so tired of Flash rants I could puke a big steaming puddle of CSS. Flash is bad because bad designers use it to make bad websites...yet bad designers make crappy HTML sites all the time. Flash is bad because it crashes the browser...yet Java (or whatever the latest buggy cross-platform solution of the moment is) is the second coming despite it's chronic habit of doing the same thing. Flash is bad because it's proprietary...except that it isn't: the SWF file format was open-sourced a long time ago. Flash is bad because it isn't search engine friendly...yet one of the most popular websites in the world used it to reinvent how we experience video on the web. SVG is better, for reasons only geeks can appreciate...but no one supports it, so who cares?
In my opinion, every web technology sucks pretty mightily, for one reason or another. They are either abused by malevolent advertisers or 13 year olds, not supported uniformly by all platforms or browsers, and are a pain in the ass to design with. Dynamic HTML is a bad joke. Javascript invented pop-up hell. And praise CSS all you like, it's a strategy only a programmer could love. You can't center things reliably with it no matter how many hoops you jump through. That's something even HTML 1.0 could manage.
My own clients LOVE Flash sites. They insist on them. They want animations, and sound, and websites that look the same in every browser. (Flash's ability to proportionately scale content to the window is a thing of beauty, and one of the most underused talents of the plug-in. Why some Flash designers insist on manipulating the window size instead is beyond me) The only people who don't love Flash sites are other programmers. And I'm more than happy to take their business.
Hating Flash for bad Flash sites is like hating scientists for making gunpowder possible. Live in a teepee or run a casino...your choice.
I believe most Flash is done wrong simply because the site designers value form over content.
Useful or pertinent information (if it is manifest at all) usually has the appearance of being inserted as an afterthought. That's why the sites I visit most often tend to be based primarily on simple markup such as HTML, which despite its various drawbacks is at least easy to maintain (and therefore more likely to be maintained), and does not have the noli-me-tangere character of a cast-bronze SWF presentation.
I apologise for coming across as a luddite, but it is distinctly tiresome to be subject to the whim of some mentally adolescent graphics designer poking glitzy, time-consuming displays in my eye rather than allowing the information I'm looking for to be easily found. Which is why I think Flashblock is the best thing since unsliced bread.
Surely in the cases you mention, it is really the designer/developer that sucks?
As a technology, Flash offers a quite decent featureset, but technology can always be misused in the wrong hands.
From your reasoning, HTML also sucks because of animated gif's and the blink tag!
I agree that there are plenty of options for saving content, but we're missing the point.
Or rather, site designers are.
The whole point of a website is to promulgate its content. Introducing caveats such as "You May Only Look At This Content When It Suits Us To Give It To You" where copyright or reproduction restrictions are (for practical purposes) irrelevant is an unnecessary addition of complexity to the online experience. Locking up the content so that it is only visible under prescribed conditions is really quite silly. They might just as well publish the content on paper or optical media at a price.
Hey, Rezmason here.
I agree that Flash is often misused, but I never thought I'd see such an overwhelmingly negative reaction to a Flash vulnerability. Flash gets updated relatively frequently, alright? It's kind of troublesome to read a "that's what you get" kind of statement on the front page of this site, especially if the writer isn't exactly in the loop.
Besides, there's a silver lining on this cloud. The more professional Flash websites will be quicker to address this vulnerability, whereas the ones that have been thrown together will make for bigger targets. Maybe this will motivate employers to hire Flash devs who really know what they're doing. After all, with Flash's scripting capabilities, developing in it for a client should be a serious matter based on trust.
And finally, despite its closed nature, Flash has (I believe) an installer base about the size of the number of computers that comprise the Internet. And it's proprietary, and has been from the start, even though it's opening up more every day. And it's got enough tricks up its sleeve to empower THIS creative professional. Ubiquitous, powerful, and CLOSED, that's right. If that makes you uncomfortable, please turn it off. But for pete's sake, don't rail on it.
The only thing Flash ever did right was to have a workable de-facto standard video format for the web. Oh and games / animations, if you're into that. As far as I'm concerned those are the only good uses for Flash.
Lol, you do realise it downloads it to
As have I :). The sad part is the fact that I knew a couple of people personally who had such sites designed for them, and I know how much they paid for that garbage... $$$
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
The whole "gratuitous infection vector" problem.
Many sites use flash for no good reason when pure HTML would be perfectly fine.
In the process they make the entire process less secure, more error prone and
ultimately less accessable.
flash vs. flash for no good reason.
A Pirate and a Puritan look the same on a balance sheet.
Ok, then choose anything supported by the ffmpeg library. Don't like MPEG1? Then use MPEG4.
A Pirate and a Puritan look the same on a balance sheet.
Are you sure on that? AFAIK, "javascript:" links are a common and accepted way to interface between JavaScript and Flash. I've used it on one or two things and it worked without any problems. (Granted, this was building in Flash MX, but the scripts played fine on modern Flash Player implementations).
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
Would that still work, though, if the Flash file was just a "loader", that downloaded/streamed the video file using Flash as opposed to the browser?
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
Then there is a LOT of bad designers out there, they are in the MAJORITY.
http://www.rense.com/general79/wdx1.htm
Agreed!
In my experience, I think a lot of the Flash designers you come across are from animation or print design backgrounds, rather than specifically web design. A few years ago this was definitely the case.
Unfortunately that often means that the designers working on these Flash websites simply don't get the web, or how their content integrates with the page or browser, as well as someone who has been using CSS/HTML/JS for most of their career - they are still treating it as they would a piece of print work with fixed size/resolution, or as an animation with lots of pointless swirly stuff. Obviously, a lot of this may look 'cool' to marketing folks, but may not be entirely appropriate for the web.
I find that it really depends who your designers are - larger agencies who still seem to be very biased towards print work, and an obsession with swirly things; or the more conservative/realistic experience-orientated interactive design shops.
Also, I think this is something which is slowly going away as more 'web' people are drawn to the Flash platform by things such as AIR, Flex and AS3.
Preach it!
You're a little late to the party though. We cynics already use Firefox and put on AdBlock Plus, AdBlock Filterset Updater, NoScript and Flashblock. I'm on Linux, using an encrypted partition, connected to my firewall through a VPN. No, I'm not really paranoid, I've just decided that it is easier to be careful up front than try to keep up with the latest round of vulnerabilities.
Back in my day when we chiseled our bits into stone and sent them by mule train from village to village...
In my experience, I think a lot of the Flash designers you come across are from animation or print design backgrounds, rather than specifically web design. A few years ago this was definitely the case.
Unfortunately that often means that the designers working on these Flash websites simply don't get the web, or how their content integrates with the page or browser, as well as someone who has been using CSS/HTML/JS for most of their career
Design is design - print or web doesn't matter. People have been slowly starting to realize this over the last half decade or so. Your talk about people who have been using CSS/HTML/JS "most of their career" is kind of moot when you consider that two of those technologies have only been around about a decade, and the third only a little longer. Do you think best practices in print design were set in stone only 10 years after the invention of the printing press? 20 or 30 years from now, the way we use the web will be completely different from the way we use it now, just as the way we use it now is pretty different from the way we used it in 1991. Would you have argued against YouTube because it's Flash-based? Or because it's video-based? Should the web only be used for text? After all, that's originally what it was, and every time some new feature or technology was added, there were people who argued against it because it made the web "uglier" or "more confusing" or led directly to "bad design".
No, the web evolves. Get used to it.
Yes, there are bad designers out there. But that's all they are; bad designers. It's got nothing to do with print vs. web or whatever. The arguments among web developers about this boil down to design vs. technology, not good design vs. bad design. And while good design is at least somewhat permanent, technology is constantly changing. So there's no point arguing that technology that worked 10 years ago is the same technology we should be using today because new technology encourages bad design; no, bad designers, producers and project managers encourage bad design. Background matters little.
btw, I say this as someone who is constantly espousing the use of AJAX at the company I work for. I find too much Flash annoying. But again, that's got nothing to do with design, it's got to do with functionality. AJAX has improved now to the point where you can do most of the same things with it as you can with Flash from a design perspective, without the incessant animations and ridiculously long load and draw times. So I do feel like it's a better choice most of the time. But the problem I give the designers and developers is usually phrased as "come up with the best and most interesting design you could do in Flash, then let's see if we can do it in AJAX." AJAX is still somewhat more limiting than Flash, which is why most large companies continue to use it.
I have to say, I totally disagree with you on that one - print design is totally different to web design in many respects.
For a start, a print designer is working within a fixed area that will always look the same no matter what (well, unless you rip it up!).
With a web designer you need to accept that your design may be viewed at a million and one different screen resolutions, on different platforms and browsers which may render fundamentals such as text or user interface controls differently. On top of that, the implementation of said design now requires you to think about this, and things such as SEO etc.
You also have more fuzzy things, based around interaction. For print, perhaps you want to use embossing or other techniques to make the design feel a bit special. For web, I tend to thing its around how you can interact with a sites functionality (usability, learnability...) and also how well site and browser merge (form autofill, scrolling, copy, paste).
These fuzzy things are often where many Flash-based sites tend to fall down, either perhaps by introducing alien concepts for interactions for the 'coolness' factor, or ignoring these all together with content you cannot copy and forms which you can't autofill - all amounting to a different/jarring/bad user experience.
A good designer for either medium is one who is fully aware of these constraints, and works with them. Although a good print/web visual designer may be able to produce appealing sites, they will often not have a solid understanding of the medium and the nature of interaction, which is where things may fall down.
Yep, it does - in all cases I've seen. Probably because (I'm pretty sure) Flash doesn't provide you with plain sockets; you can only offload requests to the browser, where they're logged in Firebug.
=w=
Flash isn't available for linux x86-64 and hand-installing doesn't work, I'm not sure that it is available in windows-64 either. If your site is Flash dependent, your excluding the early-adoptors, not something that's good if your trying to develop market-momentum.
Apocalypse Cancelled, Sorry, No Ticket Refunds
that's the price to pay for depending on proprietary solutions.
And the open-source replacement for Flash would be...?
I have no love for Flash, but the sky is blue in the world where I live.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Adobe supported a SVG plug-in for a few years but doesn't anymore. I know that .Net framework at all - it contains a subset of it. Microsoft is supporting it on Windows and Macintosh and working with Novell to support it on Linux.
/. crowd), but it's one of our most important thing that we can do.
Silverlight, although closed source, doesn't require the
Before I joined Microsoft (earlier this year), I visited the security response center in Redmond and got the distinct impression that the company takes security very seriously. We know that from our past problems, that we have much to do to regain trust (especially th
Michael S. Scherotter
Developer Evangelist
Microsoft
Work as if you might live forever, Live as if you might die tomorrow.
> The more professional Flash websites will be quicker to address this vulnerability,
> whereas the ones that have been thrown together will make for bigger targets. Maybe this
> will motivate employers to hire Flash devs who really know what they're doing. After all,
> with Flash's scripting capabilities, developing in it for a client should be a serious
> matter based on trust.
WRONG; do NOT trust ANY web site.
So the "good guys" clean up their *.swf files. *WHAT ABOUT THE BAD GUYS*??? And please don't feed me that "don't go to untrustworthy websites" crap.
- Can you claim that you've never ever mistyped a URL and landed on a typosquatter's site?
- Are you sure that your ISP's DNS-server is 100% immune to cache-corruption? With pharming attacks, *EVEN IF YOU TYPE IN THE URL EXACTLY CORRECT* you will still get diverted to a malicious site.
- Do you only visit websites that don't have any 3rd-party banner ads? One of the current favourite attack methods is to insert malicious code in ad-servers that many mainstream sites use.
- Can you be absolutely certain that your favourite "trusted website" won't be compromised like the Superbowl teams' websites in Jan/Feb of 2007?
Almost exactly 2 years ago, MS WIndows was hit with the WMF exploit. They got a lot of flack when they said they wouldn't send out a fix until "Patch Tuesday". So they sent out quick fix before "Patch Tuesday". Meanwhile, Adobe isn't merely saying they'll have a patch out 2 weeks from this coming Tuesday. It's more like "no patch in site". I didn't give MS a free pass on the WMF vulnerability, and I don't think Adobe deserves any slack here. Another reason I'm more concerned is because my home PC, running linux was immune to the WMF vulnerability, but is subject to the Schlockwave Trash vulnerability.
DIE SCHLOCKWAVE TRASH, DIE.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Most which think they are useful are a hindrance, either by disabling printing and/or removing browsing (back button) or just a nuisance with idiotic sounds etc.
Most of the useful stuff I've seen Flash used for has been related to intranet applications, not stuff that's meant for "public consumption." A huge amount of programming is used behind the scenes for business applications... it's just that customer-side applications get the most attention.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
The 32-bit Flash player works on many 64-bit Linux distros. It works with both Firefox and Konqueror on my 64-bit Gentoo system.
We don't see the world as it is, we see it as we are.
-- Anais Nin
I have seen a couple of those business applications made with ActiveX in the work.
...
ActiveX cannot be printed either, does not obey back, has no real links (links cannot nicely be copied to VCS/Wiki/etc), does not work with FF (even with activex plugin)
Just a POS, IMHO.
A cat can't teach a dog to bark.
Windows x64 flash works just fine. I've also had it running on Ubuntu x64, you just need to install the 32 bit version of firefox and the 32 bit flash player, it's a pain but it works fine with a little tweaking to get it all set up. Besides, do you really NEED the 64 bit firefox?
The Answer
no I don't in fact I'm questioning whether I need flash either so its about 6 of one, half a dozen of the other.
Apocalypse Cancelled, Sorry, No Ticket Refunds
For me, they save perfectly and always save as a complete file ( I never grab it from the cache; that's the wrong way to do the job). Like I said: 100% success rate, and I have a relatively slow connection.
Try grabbing it from the server thats sending it to the web page in the first place, and waiting until it's done before you save. The only OS or Browser-specific trick is finding that particular url, but it can be done on any system quickly and easily.
I don't trust the download links. If you are saving from the server that sends the stream to the web page in the first place, then you will see the url for the video file they embed in the player is not the same as the url for the download link. Typically it's a different file (quality, etc), and that's if the video is actually available in the first place.
Often it's a portal to another site, whether it's ad strategy, link fraud, or downloading malware. I've learned that you don't use the provided download links. Waste of time.
Online Video is a cesspool of hell, and Flash is part of the cesspool like everyone else. Currently there is a serious vulnerability in the Flash Browser Plugin on all OS's. They are no better nor worse than anyone else; although they are very restrictive as to how content creators can format the video, which makes for a more universal experience for the user. For that you get mediocre video quality and often downright poor audio quality.
I must be out of the loop, since I have NEVER seen a FOSS version of Flash.
Mow-ran
NO, at least I don't like Youtube. Shitty quality at best. And the player sucks.
I enjoy the videos in stage6. Fantastic quality, the player will let me see the videos fullscreen with hardware acceleration and they can be easily downloaded.
http://www.stage6.com/
We are Turing O-Machines. The Oracle is out there.
Due to a recent security issue with Flash (All browsers; All OS's) I disabled the Flash/Shockwave plugins on my system.
...
On one site: 27 popups demanding I acknowledge I had no Flash plugin plus 7 demanding I download the plugin. The page stops loading until I click on the popup; loads for a second, stops again so I can acknowledge I have no Flash plugin; loads for a second, stops again
During the next half-day, well over a hundred popups demanding I acknowledge I had, in fact, no Flash plugin. I'm not going anywhere special here. Regular news and weather sites, basically.
Call me crazy, but if Apple or Microsoft intruded in the average user's browsing experience with (I'm not exadgerating here) more than 200 insistent demands that I download their software while trying to view 10 web sites, I think the entire online world would be pissed. It is, in fact, possible to browse the internet without QuickTime or Windows Media Player plugins installed, and at worst, you get a few funny icons in your browser page windows.
Flash? A constant, insistent, whining drone. You literally have pages that pop up in front of the page you are viewing to demand you do something about this serious failure to install our plugins. It's amazing how virtually no page on the internet can survive without the Flash Plugin.
Except, if I managed to click the popups by the hundred, the pages loaded just fine, thank you. The occasional image (video start screen) was blank. And I mean occasional; most still displayed.
So, without Flash; about 80% of my browsing experience consisted of acknowledging I had no Flash Plugin. Nice.
No wonder it works on 99% of browsers. Without it, you don't make it out of the driveway.