Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Flash is broken - Adobe can't fix it - flash vector for malware

  • 05-12-2009 08:53AM
    #1
    probe
    Closed Accounts Posts: 2,055 ✭✭✭


    Sites that allow user up-loadable content (eg most WEB 2.0 platforms), pose a high security risk for users. E.g. social networking sites, email services using a web interface, etc. All the hacker has to do is upload an image for example (even a simple avatar), which disguises a Flash file.

    This is because flash can be used to run malicious code (Flash Actionscript*). Flash .SWF files can be renamed .jpg or anything else – the flash client in the browser will still see the flash code in a .jpg file and run it. Adobe does not want to change this, because they say it would break flash.

    The only way for websites that allow user generated code to operate in a safe way is to take advantage of “same origin policy”. Basically the website itself should be on one domain, and the user generated content should be served from another domain. In this context mytrashgossip.com and ugcmytrashgossip.com are different domains – but mytrashgossip.com and content.mytrashgossip.com are not.


    Steve Gibson gives a detailed presentation on the risks at:

    http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/sn0225.mp3

    Skip the first 44 mins if you are only interested in this topic.

    Show notes: http://www.grc.com/sn/sn-225.htm

    *http://en.wikipedia.org/wiki/ActionScript


Comments

  • #2
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 96,211 Mod ✭✭✭✭Capt'n Midnight


    get flashblock for firefox

    seriously is there a real need for 99% of flash , most of it is bandwidth stealing advertising or eye candy

    also the bandwidth in patching adobe products all the bleedin time


  • #3
    probe
    Closed Accounts Posts: 2,055 ✭✭✭probe


    Capt'n Midnight wrote: »
    get flashblock for firefox

    seriously is there a real need for 99% of flash , most of it is bandwidth stealing advertising or eye candy

    also the bandwidth in patching adobe products all the bleedin time

    I use it and it (https://addons.mozilla.org/de/firefox/addon/433) is good - but on a website one isn't familiar with, which flash blobs do you enable, to see the content, and which might be malware ? :-(

    Hopefully HTML5 will put flash out of business anyway.


Advertisement