Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks

tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."

Re:Separate the code and the data

[nmb3000]

This is why your data should not be executable.

I'm trying to figure out what possible reason to have Flash embeddable inside an Office document someone might have. Maybe you could argue that it's worth being able to embed in a PowerPoint slide, but even that is reaching.

A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat.

I think a better solution is to disable Flash entirely* when run from an Office document and instead display a message that says:

"Flash has been disabled. To enable Flash content, contact your system administrator and he will come back there and hit you on the head with a tack hammer 'cause you are a retard ."

* of course with the obligatory registry-key-bypass for corporate users

Re:Separate the code and the data

[symbolset]

What does it matter? Office may as well be considered a remote access terminal server backend with system privileges for a metasploit frontend remote desktop client. The document preparation features are optional and in most cases redundant.