Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Flash is broken - Adobe can't fix it - flash vector for malware

  • 05-12-2009 8:53am
    #1
    probe
    Closed Accounts Posts: 2,055 ✭✭✭


    Sites that allow user up-loadable content (eg most WEB 2.0 platforms), pose a high security risk for users. E.g. social networking sites, email services using a web interface, etc. All the hacker has to do is upload an image for example (even a simple avatar), which disguises a Flash file.

    This is because flash can be used to run malicious code (Flash Actionscript*). Flash .SWF files can be renamed .jpg or anything else – the flash client in the browser will still see the flash code in a .jpg file and run it. Adobe does not want to change this, because they say it would break flash.

    The only way for websites that allow user generated code to operate in a safe way is to take advantage of “same origin policy”. Basically the website itself should be on one domain, and the user generated content should be served from another domain. In this context mytrashgossip.com and ugcmytrashgossip.com are different domains – but mytrashgossip.com and content.mytrashgossip.com are not.


    Steve Gibson gives a detailed presentation on the risks at:

    http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/sn0225.mp3

    Skip the first 44 mins if you are only interested in this topic.

    Show notes: http://www.grc.com/sn/sn-225.htm

    *http://en.wikipedia.org/wiki/ActionScript


Comments

  • #2
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 94,294 Mod ✭✭✭✭Capt'n Midnight


    get flashblock for firefox

    seriously is there a real need for 99% of flash , most of it is bandwidth stealing advertising or eye candy

    also the bandwidth in patching adobe products all the bleedin time


  • #3
    probe
    Closed Accounts Posts: 2,055 ✭✭✭probe


    Capt'n Midnight wrote: »
    get flashblock for firefox

    seriously is there a real need for 99% of flash , most of it is bandwidth stealing advertising or eye candy

    also the bandwidth in patching adobe products all the bleedin time

    I use it and it (https://addons.mozilla.org/de/firefox/addon/433) is good - but on a website one isn't familiar with, which flash blobs do you enable, to see the content, and which might be malware ? :-(

    Hopefully HTML5 will put flash out of business anyway.


Advertisement