Slashdot Mirror
Flash-Based Vulnerability Lingers On Many Websites, Three Years Later
itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
If the browser is downloading the Flash files, why doesn't it apply the patch/fix prior to the Flash plugin executing them?
None of the pages about this bug—not the article, not the CVE, and not the Adobe explanation—tell what the actual attack vector is. They just say that they're vulnerable to XSS. Does that mean that the Flash code can be used on somebody else's domain? Does it mean that the Flash code can in some way be tricked into loading content from the wrong domain on behalf of page JavaScript? If so, and if Flash code uses only non-hardcoded URLs, does that mitigate the problem?
The thing is, even if you got rid of all the insecure Flash applets out there, a malicious person could still host one somewhere. So depending on the nature of the attack, the only real way to fix it might be for Flash to deliberately break every Flash applet linked against the old SDK. If the attack is dependent upon the flash being hosted from the same domain as the content you're trying to steal (e.g. cookies), then the right way to fix it is for web developers to eradicate Flash from their websites.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If a malevolent SWF file could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?
They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites.
Talk about not dogfooding.
No Yipppppeeee!
Client Server technology has always had a problem where the client must trust the server. Adobe could have done better with Flash, but compromised security for flexibility. Exactly what every Bank I know of has done, and insurance company, and government agency, and department store, etc.. etc... etc...
If you are worried, don't download content you don't trust. It's not an absolute fix, because malicious files could still be uploaded to Facebook and Youtube. That said, I doubt your world will end when you don't watch the latest meme or crazy Russian's video. Plenty of other things to do for entertainment, most in my opinion are healthier than sitting on your ass watching videos.
I don't see this as a big deal. If you are ignorant to the dangers of the Internet today, you are intentionally ignorant. Too much information is available for you to read on the "do's and dont's" of content and usage. Sorry, but the world will never be the safe place certain people fantasize about. Human nature will prevent this from happening, ever!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
They already did and gave birth to python
there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.
if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.
Anons need not reply. Questions end with a question mark.
Fat Client = Fat Holes. Fat luck fixing em all.
Table-ized A.I.
when can we go from slowly transitioning from flash to html5, to actively and aggressively killing flash as a policy initiative coordinated among major websites?
i think a cost/ benefit analysis presentation to the right corner office could get this ball rolling
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
> They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites.
Was it the files or the 'finding' that was on Google, Yahoo, ... ?
ie were the files on Google, or just search engine links to the files that were on completely different other sites ?
Something seems very wrong when they tell you to *fix the attacker* to fix a vulnerability. I don't get that.
You win the Internet
Flash has been in a perpetual state of vulnerable for, what, almost years now?
Every 2-3 months for that entire time, Flash has had yet another security hole in it.
So, I'll continue to leave it disabled in my browsers. About 3 time per year I cave and fire up an IE which has it enabled because someone in HR still insists on something I must use it for.
But, seriously, Flash should be killed off. It's terrible. It's always been terrible. And it's not showing any signs of not being terrible.
It serves ads, and sites with terrible navigation. I'm sure there are sites I don't use which use it for other stuff, or possibly even use it well.
But many of us have gone many many years with it disabled and not missing a damned thing.
Lost at C:>. Found at C.
...And all of these vulnerable ads must be run on slashdot. I always know if I left a tab with slashdot open on my machine as the fan is always running faster and eventually I'll get a plug-in has stopped responding message. This only ever happens when a slashdot tab is open in the background.
Using Opera 12.17 64-bit option of "play on demand only" by individual site preferences (globally too, which is how I set it to NOT allow flash on "every site there is that uses it", then setting up sites like YouTube to use it, albeit again, ONLY on demand (that way I can queue up a load of things to watch & play them as I see fit, vs. say, IE 11 playing them automatically)).
That works vs. ads using it, and allows flash to play ONLY when, & where, I see fit!
Funny part about YouTube since I mentioned it is that they *TRIED* telling my browser (Opera) flash was deprecated there & ANOTHER feature fooled that too (Mask as Internet Explorer or FireFox will do this) & flash STILL plays there.
* That's the reason I still use it - it also allows me to flexibly by site disable (or enable) cookies, plugins of all types, frames/iframes, javascript - no other browser has that much flexibility to this very day (not even Chrome, which has you do all kinds of 'commandline' switching - odd, considering it's a GUI application, don't you think?)
It sort of "blows my mind" that Jon Von Technzner (sp?), the inventor of it, dropped it like he did (iirc, it was for 'adhering to web standards' for a more universal browsing experience & also iirc, he's "top dog" @ the standards board for web 2.0 etc. SO it may merely have been a "personal sacrifice" for that pretty noble goal really - not worth it though... not imo & experience @ least. He already had one hell of a piece of work that IF he would've worked just a BIT MORE on the ECMA script (javascript) engine, it would have been JUST AS COMPATIBLE with scripted sites (stupid to run imo, it's the harbinger of doom for exploits online more than ANYTHING ELSE OUT THERE by far as a single source of it) as FireFox is.
Javascript is slow, bloated, & again a security + privacy/tracking risk too - It's a dumb thing to run for the most part "everywhere under the sun" (I only use it where it is ABSOLUTELY NECESSARY for DB access driven sites like online shopping, banking, or tests etc. - otherwise? I turn it off everywhere else for the reasons noted above).
IMO what was better & they deviated from it? WinCGI/CGI processing server-side pushing back results in a BETTER safer form... web 2.0 wannabe coders will *not* like that I am sure, seeing as they want to "further their own agendas" & protect their "raise d'etre" but facts, are facts - javascript is a DUMB slow risk, period. Again, the web 2.0 wannabes & advertisers won't like that... but then again, they aren't capable of mastering things like NSAPI/ISAPI or to write it minus leaks in C/C++ server side... hence the dumbing down of things doing something VERY stupid (which MS' history shows is dumb) - puttings scripts into documents (for a document-centric universe that backfired ala Word & Excel Macros). The TRASH seriously came blowing in -> JavaScript opens doors to browser-based attacks http://news.cnet.com/JavaScrip... [cnet.com] (& I can produce dozens more like that proving that point easily from reliable reputable sources).
APK
P.S.=> Another point in favor of Opera (oft called the 'speedking' of browsing & it is, even dusting the new javascript engines in the past with a far older one due to better coding) - I tried Webkit based browsers, even the new offering from Opera in Vivaldi - they're SLOW AS MOLASSES & don't offer as much in features I noted above... they're inflexible as hell by comparison & not as feature-laden as Opera was (not "Chopera") AND if you try that in IE, it will NAG YOU TO DEATH on javascript tags being encountered with NO OPTION to "DON'T TELL ME THIS AGAIN"... obvious why too - they want to force crap like javascript down your throat to advertise - well, I've got THAT covered too, with a little creation of my own that does the job BETTER than say, "Almost ALL Ads Blocked" crippled by default & sold-out for "the holy dollar" to NOT DO ITS JOB, the ONLY jo