Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Flash Vulnerabilities Affect Thousands of Sites 214

An anonymous reader sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."
This discussion has been archived. No new comments can be posted.

Flash Vulnerabilities Affect Thousands of Sites

Comments Filter:
  • Proprietary, huh? (Score:5, Informative)

    by palegray.net ( 1195047 ) <<philip.paradis> <at> <palegray.net>> on Sunday December 23, 2007 @12:33AM (#21795734) Homepage Journal
    Quoth the headline: "that's the price to pay for depending on proprietary solutions..."

    There are open source implementations of the Flash protocol; I'm running Gnash [gnashdev.org] as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.

    • Re: (Score:3, Informative)

      Oh, and by the way, those who wish to create Flash content may want to have a look at this site [mtasc.org].

      • Re: (Score:2, Informative)

        by Anonymous Coward
        actually you would want to look at haXe [haxe.org] mtasc was AS2.
    • How many times since you've installed it (when was that?) has a Flash applet failed to work at all, or been obviously buggy?
    • by Jack9 ( 11421 ) on Sunday December 23, 2007 @01:31AM (#21796030)
      Even open source implementations are vulnerable to XSS.

      Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

      In summary, "Phishing can work against Flash apps." Specifically, the article says someone at Google documented something about XSS working against Flash apps...being really light on the details. This could apply to Google's stock market Flex charting, for example. Adobe hasn't done anything about it and didnt respond to EMAIL inquiries about it.
      My question is who asked The Register, to troll against Adobe? AND how did it get posted on /. /Lemme know if I missed something.
      • Re: (Score:3, Insightful)

        Even open source implementations are vulnerable to XSS.

        Firefox + NoScript FTW. Filters XSS even from sites you've otherwise whitelisted (which does *very* rarely cause a problem, but you can manually override if necessary.)
      • Flash danger (Score:5, Informative)

        by SoopahMan ( 706062 ) on Sunday December 23, 2007 @07:04AM (#21796990)
        One major issue with Flash is its ability to insert scripts into the actual page.

        Say I want to read your email. I send you an email with a Flash animation in it. You read it and your webmail verifies there's no dangerous scripts in my email - but it's much harder to verify my Flash I sent you is safe. Which I'm counting on because I've put code in that creates a script tag in the webpage, downloads my dangerous script, and sends me your cookies. Now I can read your email.

        Flash has been getting a free pass on security for a long time. Time for things to tighten up on the web viewer more widely installed than Internet Explorer.
        • Re: (Score:3, Informative)

          by ckorhonen ( 1207018 )
          But surely the web-mail client shouldn't allow active content such as JavaScript or Flash to execute in the first place?

          I've never seen one which does this, for that very reason, as this study seems to prove:

          http://www.campaignmonitor.com/blog/archives/2006/01/the_truth_about_1.html [campaignmonitor.com]

          This issue isn't really the fault of Flash, but more web applications not validating their input and allowing the user to insert HTML tags where they shouldn't.
    • Re: (Score:3, Informative)

      by bcrowell ( 177657 )
      There are open source implementations of the Flash protocol; I'm running Gnash as my SWF player on Ubuntu 64, and it works just fine. Your mileage may vary.
      I tried Gnash, and it didn't work on the flash pages I tried it on. Although there are open-source development tools for flash, such as mtasc and haxe, there are a lot of obstacles, both legal and technological, that anyone will encounter if they try to do OSS development on the flash platform. If you want to generate AS3, the only OSS compiler is hax
      • Re: (Score:2, Informative)

        by quetwo ( 1203948 )
        Acutally, you may want to take a look at Flex. Adobe open-sourced their compiler, and the SDK to create SWF files. Flex (starting with version 3), is open source, /and/ fully supported by Adobe on Linux, Mac and Windows.
        • Acutally, you may want to take a look at Flex. Adobe open-sourced their compiler, and the SDK to create SWF files. Flex (starting with version 3), is open source, /and/ fully supported by Adobe on Linux, Mac and Windows.
          Thanks for the info -- that's very interesting. However, there's some pretty objectionable stuff in the EULA [adobe.com], including "2.6.1 No Modifications, No Reverse Engineering." That really doesn't fit my definition of OSS.

          The EULA for the SWF spec [adobe.com] also states that "You may not use the Specifi

      • Realistically, if you want to learn to develop flash using an OSS toolchain, you have a long, hard road ahead of you

        Step 1: go to http://labs.adobe.com/technologies/flex/sdk/ [adobe.com]
        Step 2: Download the open-source Flex Compiler.
        Step 3: Profit.

        Yep, that was long and hard...
    • by Deanalator ( 806515 ) <pierce403@gmail.com> on Sunday December 23, 2007 @03:01AM (#21796352) Homepage
      The problem isn't that adobe has a poor implementation of the flash protocol. If that was the case, they could just patch the issues (like in the past). These issues stem from the protocol itself, and that it is very liberal on how it defines access control. This is not something that can be fixed by open source. Even if gnash did have a top notch security team (which I doubt, since it sounds to me like they are still having trouble getting swf to parse safely), they would need to redefine much of the protocol, add proper mandatory access controls. Doing this in a way that would not break existing flash applets would be a huge pain in the ass. Not to mention having to go back and change everything again once adobe releases a new version.
      • Re: (Score:3, Insightful)

        by imr ( 106517 )
        There is one nice Free Software alternative to Flash as a streaming video embedded applet, it's cortado [flumotion.net].

        The problem is that it lacks a little more work to be always stable and some more to get other codecs like speex incorporated. But the developper is gone and nothing has been developped since 2006. So it could be a nice project to pick up for someone with knowledge in Java, who want to do some usefull work for the Free Software users instead of only relying on Free alternative to the Flash player wich wo
      • Re: (Score:3, Insightful)

        by mha ( 1305 )
        Why is this article that doesn't explain ANYTHING, gives no references, and shows no hint of KNOWLWEDGE on the part of the author, but only lists stereotypes, labeled "insightful"? I'm missing any insights!

        The guy even calls Flash a "protocol"! This is the OPPOSITE of insight!!!
    • Re: (Score:3, Insightful)

      by Lennie ( 16154 )
      I think there are definitly other reasons why an open source mentality is important.

      Who thinks anyone will be working on this grave security issue during the holidays ?

      If it was an open source project, I think it would be more likely a (or few) developer(s)
      would be.

      I could be wrong ofcourse.

      What do you think ?
  • It burns a lot of CPU time, uses a lot of bandwidth, crashes browsers, and - not for the first time - has serious security issues.

    On Firefox, there's an extension called Flashblock [mozilla.org]. It blocks Flash by default, but allows you to re-enable it on a page-wide or applet-by-applet basis. Several other extensions will do the same thing.

    In IE7, you can double-click a spot in the status bar (third box, right to left, of the boxes just to the left of the security zone indicator (the thing that usually says Internet)) or open the Add-on Manager from Tools in the command bar or menu bar, and disable or enable the Flash ActiveX control. This will globally enable or disable flash, but doesn't take effect on a given page until that page is refreshed. Alternatively, the third-party add-on IE7Pro has applet-by-applet flash blocking.

    I realize that some sites need it, and on those there's nothing you can do about this problem except hope Adobe updates their software ASAP. For everywhere else though, do yourself a favor and block it.
    • Re: (Score:3, Informative)

      Opera - F12, deselect "Enable plugins"

      whitelist sites via right-click, edit site preferences

    • by gnuman99 ( 746007 ) on Sunday December 23, 2007 @12:56AM (#21795872)
      You can say the same about Java, Javascript, Ruby, Python, browsers in general. Just revert back to using lynx I guess, but that had a remote hole as well! Actually 2 remove holes,

      http://secunia.com/advisories/17372/ [secunia.com]
      http://secunia.com/advisories/17216/ [secunia.com]

      That is with just a text-only browser.

      So, should we go back to using
          echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80

      Kinda sucks!

      Clearly one of the answers is to limit the browser to sub-user access. I think that is what Vista tells us is happening there. Debian doesn't do that by default. But then I'm not sure how easy it would be to limit iceweasel (firefox) to not executable stuff except known plugins, etc...

      As for the solution to problems like this, it is clearly the client that needs patching!! A client needs to handle ALL cases without allowing someone to compromise information, etc.

      There is a balance between security and usability. You can't have both perfect at the same time.
      • Re: (Score:3, Funny)

        by Tumbleweed ( 3706 ) *
        So, should we go back to using
                echo -e "GET / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80

        Kinda sucks!


        Eff that. Gopher's still going strong!
      • There is a balance between security and usability. You can't have both perfect at the same time.
        I don't know if this is necessarily true. I see no evidence that the two are mutually exclusive, particularly when they are related to two separate parts of the program -the GUI and the rendering engine. Remember that scriptable web browser development is only a couple decades old -were still in the pre-model T era.
    • Re: (Score:3, Informative)

      Comment removed based on user account deletion
    • by taviso ( 566920 ) *
      Interesting that you consider flashblock a security tool (I use flashblock as well, but simply to suppress the onslaught of distracting ads).

      If there was a vulnerability discovered in flash player, flashblock would provide little protection, to demonstrate my point, install flashblock and click here [decsystem.org] (harmless testcase). Did flashblock prevent flash player from crashing, or taking down firefox?

      (to pre-empt replies, yes i do know about noscript)
  • by noidentity ( 188756 ) on Sunday December 23, 2007 @12:46AM (#21795802)
    Funny, I've been using a permament workaround since way before these were discovered: don't install Flash. As a bonus, you get notified with a blank screen when vising a website with no useful content, so you don't waste any time trying to figure out how the hell to navigate it.
    • Which is just one site that does things in Flash that I certainly _do_ find useful...
    • by mha ( 1305 )
      I'm not sure why you would call my multimedia learning website - http://letexa.com/ [letexa.com] - not useful. Well, sure, the current content there may indeed not be useful to you, but I'd say that is a question of the actual content and not of the concept in general.

      Please tell me how YOU would deliver multimedia content on the Internet - and I'm not talking about stupid youtube videos (as someone who doesn't even own a TV I could subscribe to the view such content is indeed useless). In addition to audio/video Flash
      • Interesting you get into that "live like a monk" rejection of people rejecting advances after rejecting all of YouTube without knowing that it also contains stuff like galaxy simulations, the millennium simulation, internal cell working simulations.....

        Those who simply reject TV out of hand are no better than those who reject cars or buying bread.

        *I* like multimedia, and so do others, period.

        Except for TV.
      • by Jamu ( 852752 )
        To be fair, your website doesn't display a blank screen. On my client, at least, it displays "Error: No Flash!" on an otherwise blank page. Astonishingly some websites have blank pages for their website's entry page! These might be what the parent to your post is describing. The kind of website that works on the webdesigner's computer and by luck on anything else.
      • I'm not sure why you would call my multimedia learning website - http://letexa.com/ [letexa.com] - not useful.
        Huh? Your website isn't flash-only (or even flash-heavy, as far as I can tell with no flash player installed). The comment does not apply.
  • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Sunday December 23, 2007 @12:50AM (#21795828) Journal
    /. delives proprietary flash content to us via a proprietary ad network. Does that make /. evil too?
  • Why was the book released before the patch? "The vulnerabilities are laid out in the book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. It is due to hit store shelves soon, but is already in the hands of many security professionals. The book's authors, who work for penetration testing firm iSEC Partners as well as for Google, say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites." "The authors have been working since the summer with
    • Why was the book released before the patch?

      Probably because they have a deadline for their book and it seems you answered your own question in your post with ..."The authors have been working since the summer with Adobe, the developer of Flash, and the United States Computer Emergency Readiness Team to coordinate a remedy. But so far there is no estimate when patches may be released. A security update Adobe released this week for its Flash player doesn't fix the vulnerabilities, Stamos said. Adobe represent

      • by CalTrumpet ( 98553 ) on Sunday December 23, 2007 @02:36AM (#21796256)
        Howdy... I'm actually one of the contributors to the book. We have been working with Adobe and CERT for a while on this issue, and we felt that as much time as is reasonable had elapsed since the initial reporting. The disclosure of security vulnerabilities is always a complicated ethical issue, and you have to weigh the public's right to know with the possibility that a speedy fix may reduce the overall damage from disclosure. Even with several months of work, "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.

        A more formal vulnerability report is being co-ordinated with CERT and should be out soon with the details of the issues.

        • "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player, so the only solution is for website owners to re-generate their Flash applets with the updated generators, which should be out shortly.

          why exactly is this not considered a problem with the flash player its self if it is executing code it shouldn't be? fixing the swf files themselves doesn't really solve the problem if it is still possible to create malformed swf files which can later b

        • by Gnavpot ( 708731 )

          "patching" the vulnerabilities is complicated, since the issues exist in the SWF files themselves and not in Flash player

          Oh, so you are the person behind this "vulnerable content" nonsense?

          How can you seriously describe untrusted content as "vulnerable"?

          The software which is handling the content can be vulnerable. The content itself can contain an exploit of this vulnerability.

          This can be fixed in two ways:

          1. Fix the vulnerability in the software which is handling the content. This is the right way.

          2. Con

          • by Gnavpot ( 708731 )
            Argh.

            #2 should read:
            2. Continue using vulnerable software and do only accept CONTENT from [...]
  • I've RTFA and even the comments, and I still don't understand.
    • malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS.

      it needs to make use of a cross site scripting vulnerability to inject the code needed to expose the flaw in flash files. If I RTFA right, the flash files themselves don't neccessarily need to contain the code in of themselves but can be made vulnerable with the XSS vulnerability. which I suppose makes sense, XSS vulrerabilities are associated with code injection that can cause some very bad

  • Heise [heise-security.co.uk] points out that youtube FLV files are generated by youtube from other videos, but seems to leave open the possibility that FLV video files could be malicious in their own right on other sites. Clearly player programs could be malicious (or vulnerable) but what about the videos themselves?
  • by Max Threshold ( 540114 ) on Sunday December 23, 2007 @12:55AM (#21795858)

    Attack scenarios work something like this: A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer's authentication cookies or login credentials to be sent to the attacker.

    Huh? So this is some kind of phishing attack? Exactly how is Flash involved, and what should we be watching out for? (Other than never entering important data into a form we reached by clicking... always good practice.)

  • Flash fails worse than the blink tag. It feels like a system hacked on top of a system of broken systems. It's the single most frustrating "feature" to hit the web since the blink tag. To me, flash can be used in one of three ways, in decreasing amounts of popularity:

    1) It provides a mechanism for young impressionable web designers to splatter their so called design spunk all over my screen in one gigantic wank-off-fest. Usually, resulting in pages that are so unusably bad, I can't begin to fathom how they
    • To me, flash can be used in one of three ways, in decreasing amounts of popularity:

      Nice rant, but you seem to fail to realize that the web, and computer software in general, tend to fall in the same sort of categories. That's just the way it is. Don't forget Sturgeon's Revelation, "90 percent of everything is crud." (Though I believe this estimate to be conservative, and certainly the adjective chosen is much more polite than is usually quoted.)

      I'd rather have the possibility of having those few brilliant F
    • You forgot #4. Flash content can be created for off-line use. I make a very comfortable living designing tutorials and simulations in Flash that are self contained and thus aren't exposed to these supposed vulnerabilities.
  • I need some example code. Uh, for my research.
    • I need some example code. Uh, for my research.

      It's all in the book. You just have to buy it...

      More seriously, I don't care who the authors are, who they are working with, when it was discovered, or when the official patches will be out. I care about disclosure so I can rectify or mitigate the problem, and that's something the "good guys" have not done. So far, I've read a fucking marketing extract, designed to drum up some interest in a little fund-raiser for the boys? *My* computers, networks, servers, and
  • by Twillerror ( 536681 ) on Sunday December 23, 2007 @02:36AM (#21796252) Homepage Journal
    From what little I can get from the article this seems like just another cross site scripting attack.

    Although this can "help" an attacker steal information the end user still has to click a link provided by the attacker that tricks the user into thinking they are on someone elses site and seeing content that site generated.

    Cross site scripting attacks are not to laughed off, but they do tend to get over exagerated. When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password.

    People could just as easily fall for attacks like this that don't even change the URL. Not to mention that this has to upload the payload to a server. Meaning you can steal people's information, but it has to go to an IP somewhere. Maybe if law enforcement would get off their behinds and go after this f'ers it wouldn't be such a big issue.

    All the anti-flash posts need to get down voted. I could easily say that Jscript sucks because of all the various security issues it has had over the years, but it isn't useful or productive. Flash is what flash is...you don't like it...don't install it and shutup and let the rest of us use it.
    • "When is the last time you clicked on an email link sent to you out of the blue...and then stuck in your user name and password."

      Therein lies the problem. You assume that it requires you to do that. Simple XSS hacks take you to a page where you login. Advanced (read real) XSS hacks take you to pages where you have already logged in. Say, for example, an e-mail system. They do it using a hidden iFrame, so you never even see it. Then the script can "browse" the site looking for key bits of information and will then pass it on to a malicious site via a hidden post. You will never even be aware that the hack has taken place.

      • by jafiwam ( 310805 )
        So does this still require a malicious site?

        Or is flash on a web page (say, a bank) along with a normal form with a post command to the online banking server also threatened?

        Basically, what I want to know is if with a flash enabled browser on my bank's online banking login web site with their crappy annoying SWF file, do I gotta disable Flash to be safe?
        • That is correct. The bank site doesn't have to have any malicious code on it. The hacker would "inject" the malicious code in it via the weakness. More than likely, there would be a malicious site involved, just to send the data to, but it is not necessary.

          For example, PayPal was the target of an attack like this and the user was sent to PayPals site... the certificate even checked out, but the injection attack still allowed the data to be stolen none the less. And that wasn't even using Flash.

          Bill
  • by RAMMS+EIN ( 578166 ) on Sunday December 23, 2007 @03:33AM (#21796448) Homepage Journal
    My feelings about Flash are kind of mixed. On one hand, it's proprietary technology. Specifications have, at some point, been published, but I don't think they are current, and there certainly isn't a full-featured implementation from anyone other than Adobe. This is bad.

    On the other hand, looking at what Flash does, and at other technologies that do these things, it seems to me that Flash is clearly technologically superior. I don't know how large the browser plugin is these days, but the one that used to come with Opera used to be very small, and yet provide features that web masters are trying to kludge together with AJAX and whatnot, and for which the W3C has come up with the gargantuan SVG, which has even more elephantine implementations. Flash is the clear winner here.

    And then, of course, there is the misuse of Flash for things where Plain Old HTML would be much better. But then again, if Flash were a widely-implemented open standard (rather than a widely-implemented proprietary technology which yet leaves some users in the cold), perhaps such use wouldn't be _mis_use.

    So, all in all, I think that Flash would be _great_ if it weren't proprietary...but the fact that it _is_ proprietary is a real obstacle.
  • Flash != Evil (Score:5, Insightful)

    by ckorhonen ( 1207018 ) on Sunday December 23, 2007 @06:13AM (#21796826) Homepage
    I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.

    In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!

    Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.

    In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.

    The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.

    Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.

    • by flajann ( 658201 )
      I have mixed feelings about Flash. I think Flash has the potential to deliver amazing content, but so far the use of Flash has been mostly abysmal. 99% of Flash usage seems to be simply for doing eye-catching -- and also CPU-sucking -- advertising. Almost never do I see Flash used to truly enhance the user experience in a way that HTML never could.

      On the other hand, having a consistent platform to launch a web application without worry from all the browser differences is a definite plus. But even here Fla

    • by Gnavpot ( 708731 )

      In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.

      So you think that the user's Flash security should depend on whether the site he is visiting has malicious intent?

      We are normally measuring web browsers against another standard:
      A web browser must be so secure that visiting a site with malicious int

  • condom of the digital age?
  • by cherokee158 ( 701472 ) on Sunday December 23, 2007 @09:53AM (#21797796)
    I'm so tired of Flash rants I could puke a big steaming puddle of CSS. Flash is bad because bad designers use it to make bad websites...yet bad designers make crappy HTML sites all the time. Flash is bad because it crashes the browser...yet Java (or whatever the latest buggy cross-platform solution of the moment is) is the second coming despite it's chronic habit of doing the same thing. Flash is bad because it's proprietary...except that it isn't: the SWF file format was open-sourced a long time ago. Flash is bad because it isn't search engine friendly...yet one of the most popular websites in the world used it to reinvent how we experience video on the web. SVG is better, for reasons only geeks can appreciate...but no one supports it, so who cares?

    In my opinion, every web technology sucks pretty mightily, for one reason or another. They are either abused by malevolent advertisers or 13 year olds, not supported uniformly by all platforms or browsers, and are a pain in the ass to design with. Dynamic HTML is a bad joke. Javascript invented pop-up hell. And praise CSS all you like, it's a strategy only a programmer could love. You can't center things reliably with it no matter how many hoops you jump through. That's something even HTML 1.0 could manage.

    My own clients LOVE Flash sites. They insist on them. They want animations, and sound, and websites that look the same in every browser. (Flash's ability to proportionately scale content to the window is a thing of beauty, and one of the most underused talents of the plug-in. Why some Flash designers insist on manipulating the window size instead is beyond me) The only people who don't love Flash sites are other programmers. And I'm more than happy to take their business.

    Hating Flash for bad Flash sites is like hating scientists for making gunpowder possible. Live in a teepee or run a casino...your choice.

    • Re: (Score:3, Insightful)

      by Sloppy ( 14984 )

      Flash is bad because bad designers use it to make bad websites...yet bad designers make crappy HTML sites all the time.

      HTML doesn't have the expressive power to be dangerous. Go ahead and make a bad site with HTML and be as malicious as possible: you still can't do anything really dangerous. At worst, you might exploit a browser bug; but that will be a problem with the browser, not the format and the intended expressive power of HTML. Flash, in stark contrast, now allows the author to resize browser wi [youtube.com]

After all is said and done, a hell of a lot more is said than done.

Working...