Slashdot Mirror
Flash Vulnerabilities Affect Thousands of Sites
An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."
Quoth the headline: "that's the price to pay for depending on proprietary solutions..."
There are open source implementations of the Flash protocol; I'm running Gnash as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
It burns a lot of CPU time, uses a lot of bandwidth, crashes browsers, and - not for the first time - has serious security issues.
On Firefox, there's an extension called Flashblock. It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.
In IE7, you can double-click a spot in the status bar (third box, right to left, of the boxes just to the left of the security zone indicator (the thing that usually says Internet)) or open the Add-on Manager from Tools in the command bar or menu bar, and disable or enable the Flash ActiveX control. This will globally enable or disable flash, but doesn't take effect on a given page until that page is refreshed. Alternatively, the third-party add-on IE7Pro has applet-by-applet flash blocking.
I realize that some sites need it, and on those there's nothing you can do about this problem except hope Adobe updates their software ASAP. For everywhere else though, do yourself a favor and block it.
There's no place I could be, since I've found Serenity...
Flash done right can be extremely useful, as a tool for adding a dynamic interface to a site. Unfortunately, Flash is (in my opinion) usually done horribly wrong, and implemented in a manner that doesn't give site visitors any alternate means of using the site. I've seen good implementations where Flash was used only for a particular application, and the rest of the site was done in standard-compliant HTML/CSS. I've also seen really scary work on countless occasions where the entire site was one big Flash presentation. Ugly stuff.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.
If it were open the source code could be audited and perhaps this vulnerability (or others) would have already been identified and corrected. With proprietary solutions you just don't get that option.
/. delives proprietary flash content to us via a proprietary ad network. Does that make /. evil too?
With respect to the "No patch in sight from Adobe" part, of course. If such a flaw was discovered by security researchers in firefox, they could do better than merely report the problem, it is within their power to correct the code and issue a third party patch/update if mainstream won't act. The vulnerability may not intrinsically be due to the proprietary nature (though external code audits might arguably occur to help, but I wouldn't guarantee it), but solving those problems cannot be done in a proprietary system except by the vendor.
The community might ignore such a patch, and it might not even happen that often, but if things were generally dire enough in a projects mainstream, a new leadership could fork the project and that is not unheard of in projects. Of course, it's common for distributions to apply security updates to their packages before upstream merges them, so it isn't *that* strange.
Not related to security, but the current version of the flash plugin, for example, breaks compatibility with linux opera and konqueror due to Xembed, and packagers hands are kind of tied in terms of what to do about it. Of course, can also point out the ATI drivers, which suffer greatly from problems and are dealt with in a way that doesn't work.
XML is like violence. If it doesn't solve the problem, use more.
You can say the same about Java, Javascript, Ruby, Python, browsers in general. Just revert back to using lynx I guess, but that had a remote hole as well! Actually 2 remove holes,
http://secunia.com/advisories/17372/
http://secunia.com/advisories/17216/
That is with just a text-only browser.
So, should we go back to using
echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80
Kinda sucks!
Clearly one of the answers is to limit the browser to sub-user access. I think that is what Vista tells us is happening there. Debian doesn't do that by default. But then I'm not sure how easy it would be to limit iceweasel (firefox) to not executable stuff except known plugins, etc...
As for the solution to problems like this, it is clearly the client that needs patching!! A client needs to handle ALL cases without allowing someone to compromise information, etc.
There is a balance between security and usability. You can't have both perfect at the same time.
Depends on what you are trying to achieve, but I would never go with Flash. The only benefit of Flash is that it will keep the majority of users from "stealing" your content by downloading it and saving it to a file. And you also get to code up your own crappy player in it too. If you want it playable on the largest number of devices(what people normally claim is the benefit of Flash), then go with MPEG-1 which will work more places than Flash.
A cat can't teach a dog to bark.
Unless the Reg article is being misleading, it doesn't look like much more than "XSS is possible in Flash apps". If that's the case, it's less a case of a "vulnerability" as Flash giving developers a hammer, and the devs bashing in their own fingers with it. As in JavaScript, as in PHP, as in CGI, as in any language that accepts input from outside-- never trust the input!
Or am I missing something?
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
From what little I can get from the article this seems like just another cross site scripting attack.
Although this can "help" an attacker steal information the end user still has to click a link provided by the attacker that tricks the user into thinking they are on someone elses site and seeing content that site generated.
Cross site scripting attacks are not to laughed off, but they do tend to get over exagerated. When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password.
People could just as easily fall for attacks like this that don't even change the URL. Not to mention that this has to upload the payload to a server. Meaning you can steal people's information, but it has to go to an IP somewhere. Maybe if law enforcement would get off their behinds and go after this f'ers it wouldn't be such a big issue.
All the anti-flash posts need to get down voted. I could easily say that Jscript sucks because of all the various security issues it has had over the years, but it isn't useful or productive. Flash is what flash is...you don't like it...don't install it and shutup and let the rest of us use it.
Howdy... I'm actually one of the contributors to the book. We have been working with Adobe and CERT for a while on this issue, and we felt that as much time as is reasonable had elapsed since the initial reporting. The disclosure of security vulnerabilities is always a complicated ethical issue, and you have to weigh the public's right to know with the possibility that a speedy fix may reduce the overall damage from disclosure. Even with several months of work, "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.
A more formal vulnerability report is being co-ordinated with CERT and should be out soon with the details of the issues.
Not a fan of flash either, but the one application it is actually good for is the youtube-style video embedding. I prefer flash to the satan-spawned abominations quicktime & windows media player, as the platform support is better, among other things.
Software patents delenda est.
Most flash is done WRONG unfortunately, and most sites either open in a new limited controllable window and / or have a screen area the size of a postage stamp. Flash sucks for many reasons, and this is 2 of them.
http://www.rense.com/general79/wdx1.htm
I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.
In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!
Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.
In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.
The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.
Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.
Keep your voice down...
You must be new here... this debate isn't about whether or not the suggested alternatives to Flash are supported or practicable.
It's more to do with people having look at reality and coming to the conclusion that they just don't like or believe certain aspects of it.
Call it a selective disregard for the facts or utter stupidity if you will, but its kinda groovy...
I think that the audio and video functionality of Flash/Flex can and will be replaced by chaz haskins' svg wondershow plugin.
See it's easy! get into it.
One major issue with Flash is its ability to insert scripts into the actual page.
Say I want to read your email. I send you an email with a Flash animation in it. You read it and your webmail verifies there's no dangerous scripts in my email - but it's much harder to verify my Flash I sent you is safe. Which I'm counting on because I've put code in that creates a script tag in the webpage, downloads my dangerous script, and sends me your cookies. Now I can read your email.
Flash has been getting a free pass on security for a long time. Time for things to tighten up on the web viewer more widely installed than Internet Explorer.
I believe most Flash is done wrong simply because the site designers value form over content.
Useful or pertinent information (if it is manifest at all) usually has the appearance of being inserted as an afterthought. That's why the sites I visit most often tend to be based primarily on simple markup such as HTML, which despite its various drawbacks is at least easy to maintain (and therefore more likely to be maintained), and does not have the noli-me-tangere character of a cast-bronze SWF presentation.
I apologise for coming across as a luddite, but it is distinctly tiresome to be subject to the whim of some mentally adolescent graphics designer poking glitzy, time-consuming displays in my eye rather than allowing the information I'm looking for to be easily found. Which is why I think Flashblock is the best thing since unsliced bread.