Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks

Posted by timothy on from the ms-bob-is-on-the-case dept.

tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."

5 of 125 comments (clear)

  1. Separate the code and the data by Gothmolly · · Score: 5, Insightful

    This is why your data should not be executable.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Separate the code and the data by Darinbob · · Score: 5, Insightful

      People want convenience. And convenience is the mortal enemy of security.

    2. Re:Separate the code and the data by davester666 · · Score: 5, Interesting

      WTF is so convenient about having Word being able to display Flash content?

      Do a significant/noticeable number of people embed Flash content in their Word documents?

      How about Flash just preventing itself from running in non-browsers [and maybe their standalone Flash app]?

      --
      Sleep your way to a whiter smile...date a dentist!
  2. aaand it won't help much by v1 · · Score: 5, Insightful

    "So what's wrong with it?"

    "You have the latest flash virus. Have you opened any Word documents lately?"

    "Of course! I use Word all day."

    (scans hdd, finds the one in email that started it)

    "Did you open this?"

    "Of course I did. It's the weekly report."

    "Didn't it WARN you there may be a virus?"

    "Yes it opened up a box I hadn't seen before. But I needed to see the report, so I clicked the Open Anyway button."

    "Didn't you get the memo last week about not clicking Open Anyway?"

    "Of course I read the memo. But I need to read that report. I had to open it."

    aaaand this is why this doesn't work anywhere near as well as Adobe says it will. No matter how many times you tell them to call you and NOT open it anyway, they still will. And you'll be at her desk again. Maybe later today even. Because she opened it anyway, because she "had to". (speaking from experience here)

    The only reasonably effective way to implement this is with a policy that is system-wide, that allows administrators to disable the Open Anyway button for the users that can't be trusted with it. (which will be most of them)

    --
    I work for the Department of Redundancy Department.
  3. * Hopes popup warnings will stop * attacks by Chas · · Score: 5, Insightful

    Sorry.

    It doesn't happen that way.

    It just doesn't.

    They tried this with browsers. It was egregiously cumbersome and conditioned people to auto-click YES to everything.

    They tried this with Windows. It's still egregiously cumbersome and is still just conditioning people to blindly auto-click YES to everything.

    So...NOW...they're adding MORE crap to click YES automatically to?

    Third time's the charm?

    FUCK NO!

    Three strikes and you're out fuckers!

    Warning popups prevent a small amount of infestations up front.
    HOWEVER, down the road, as people get conditioned to the popups, they just click past without looking. Because the popups ARE IN THEIR WAY.

    Adding a stupid popup is basically an admission that they're too goddamn stupid or lazy (or both) to secure their software properly. Or that their software is, inherently not secure or not able to BE secured.

    At which point, it's crap that needs to be replaced with a better solution. Even if it means giving up the convenience of "Well this works right now".

    --


    Chas - The one, the only.
    THANK GOD!!!