Even Flash Can Get Viruses 277
Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926.
It consists of a Macromedia Flash movie and seems to be the first of its kind.
It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files.
Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
Why Infect Flash? (Score:2, Insightful)
Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?
I'm clueless here. Help me out.
Re:two classes of files: (Score:3, Insightful)
If there's a buffer overflow in the program rendering it, it could very well be an infectious file.
MultiPlatform Viruses? Java good for this? (Score:2, Insightful)
everything can get viruses (Score:4, Insightful)
The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.
Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.
Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.
You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.
I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.
Re:McAfee (Score:3, Insightful)
Unfortunately, EVERYTHING that is important is under that account. Everything that's NOT under the account was installed from my Debian CD's.
Limited damage means limited only to the most important files on my machine in this case.
Re:Yow (Score:2, Insightful)
The bottom line is that Flash is not an effective tool for creating websites. This is what HTML was designed for. With Flash, there are two things that particularly get my goat:
The Forums are an example of Flash used in moderation, and JavaScript used in debatable moderation. I have no problem with it; it does add to the site having those tables light up blue, but it's also not particularly necessary. Mostly the site is very usable, and while there are a lot of images, it doesn't take a hugely long time to load. I think the person who designed the gamer.net.nz site and subsites needs a lesson in accessibility, because his sites are great if you can run Flash and feel like waiting for all the images to load, but get a browser like Opera 6, assume you don't have the flash plugin, and disable images so it loads faster, and you'll get a broken frontpage, and semi-broken threads in the forums because you have to use the horizontal scroll so much--the only thing this guy knows how to do is eye-candy.
The only real gripe I have against JavaScript is the open() function. A lot of people seem to think it's a really great idea to have links open in a new window using this function. I'm all for opening in a new window; I do it on my site [dnip.net] all the time--and you'll notice I use basic JavaScript for the image rollovers in the title, because they markedly add to the visual effect of the site without increasing much in the download time. But hey, there's already this great attribute called "target" in the <a> tag! Use it! I loathe sites where I right-click, open a window in the background without checking its exact href in the status bar of my browser, and going back to it a few seconds later expecting it to have loaded and finding a blank page with "javascript:open(window.crap)" in the address bar.
Just my little rant. Please mod down accordingly.