Slashdot Mirror
Flash-Based Vulnerability Lingers On Many Websites, Three Years Later
itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
None of the pages about this bug—not the article, not the CVE, and not the Adobe explanation—tell what the actual attack vector is. They just say that they're vulnerable to XSS. Does that mean that the Flash code can be used on somebody else's domain? Does it mean that the Flash code can in some way be tricked into loading content from the wrong domain on behalf of page JavaScript? If so, and if Flash code uses only non-hardcoded URLs, does that mitigate the problem?
The thing is, even if you got rid of all the insecure Flash applets out there, a malicious person could still host one somewhere. So depending on the nature of the attack, the only real way to fix it might be for Flash to deliberately break every Flash applet linked against the old SDK. If the attack is dependent upon the flash being hosted from the same domain as the content you're trying to steal (e.g. cookies), then the right way to fix it is for web developers to eradicate Flash from their websites.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Agreed. Flash really should apply the patch, and if it fails, it should refuse to load the Applet.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If a malevolent SWF file could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?
They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites.
Talk about not dogfooding.
Client Server technology has always had a problem where the client must trust the server. Adobe could have done better with Flash, but compromised security for flexibility. Exactly what every Bank I know of has done, and insurance company, and government agency, and department store, etc.. etc... etc...
If you are worried, don't download content you don't trust. It's not an absolute fix, because malicious files could still be uploaded to Facebook and Youtube. That said, I doubt your world will end when you don't watch the latest meme or crazy Russian's video. Plenty of other things to do for entertainment, most in my opinion are healthier than sitting on your ass watching videos.
I don't see this as a big deal. If you are ignorant to the dangers of the Internet today, you are intentionally ignorant. Too much information is available for you to read on the "do's and dont's" of content and usage. Sorry, but the world will never be the safe place certain people fantasize about. Human nature will prevent this from happening, ever!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
They already did and gave birth to python
there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.
if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.
Anons need not reply. Questions end with a question mark.
when can we go from slowly transitioning from flash to html5, to actively and aggressively killing flash as a policy initiative coordinated among major websites?
i think a cost/ benefit analysis presentation to the right corner office could get this ball rolling
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If the browser is downloading the Flash files, why doesn't it apply the patch/fix prior to the Flash plugin executing them?
And why a browser should cope with 3rd party crap like Flash?
Slashdot, fix the reply notifications... You won't get away with it...
The fix is simple. Remove Flash from your system.
Or update Flash to detect and just refuse to load the applet.... if it was indeed the SWF file creator's responsibility to patch. This would help encourage them to patch and not leave users of older versions of flash vulnerable to this particular issue.
Flash has been in a perpetual state of vulnerable for, what, almost years now?
Every 2-3 months for that entire time, Flash has had yet another security hole in it.
So, I'll continue to leave it disabled in my browsers. About 3 time per year I cave and fire up an IE which has it enabled because someone in HR still insists on something I must use it for.
But, seriously, Flash should be killed off. It's terrible. It's always been terrible. And it's not showing any signs of not being terrible.
It serves ads, and sites with terrible navigation. I'm sure there are sites I don't use which use it for other stuff, or possibly even use it well.
But many of us have gone many many years with it disabled and not missing a damned thing.
Lost at C:>. Found at C.
Oh they must have upgraded the ISO model recently
--
Whatever doesn't kill you, makes you stronger.
Slashdot, fix the reply notifications... You won't get away with it...