Adobe Flash Exploit Could Log Keystrokes

Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers. The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."

Great...

[6Yankee]

...and TFA has a Flash ad...

Re:

[GizmoToy]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash. Of course, they just want to get paid and don't really care about you, so I can't say I'm all that surprised.

Re:Great...

[Cutriss]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash. Of course, they just want to get paid and don't really care about you, so I can't say I'm all that surprised.

Or...maybe the world isn't as evil of a place as you think, and the people writing the article aren't the same people that develop the website? Maybe they don't even know how to use Flash and just write copy?

Re:

[Anonymous Coward]

Or maybe it is more evil and they put the article out there to lure you to the Flash ad so they could log your keystrokes.

Re:

[shawn(at)fsu]

maybe it's part of their defense. If some on gets hacked because of that banner ad, Adobe could say "Hey we warned you"

Re:Great...

[MojoRilla]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash.

Why? I'm sure the editorial group uses a CMS to publish these pages, and the standard template has DoubleClick ads in them. DoubleClick may or may serve out Flash ads, based on what is bought and should be served at any particular moment. This allows the advertiser to have a lot of flexibility, as they can buy only 1,000 impressions or 1,000,000 impressions, and have those ads served out over a wide range of pages. It also makes it easy for editorial people to get paid for their work, instead of having to worry about ads on every single page they publish

There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.

Re:

[Goaway]

So in your world, web browser vulnerabilities are only allowed to be published in print?

Full Article

[Anonymous Coward]

Adobe Flash exploit could log keystrokes
By Dawn Kawamoto [mailto], CNET News.com
16/07/2007
URL: http://www.zdnetasia.com/news/security/0,39044215, 62028443,00.htm [zdnetasia.com]

Adobe has issued three critical security updates [adobe.com], one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.

Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.

Users

Re:

[utopianfiat]

ftw [adblockplus.org]

Sorry, a *what" ?

[DrYak]

and TFA has a Flash ad...

Sorry a Flash-what ?

Oh, it must be one of those things we are missing, as users of :

Adblock [mozilla.org] plugin (stops ads, be it Flash, Javascript or plain pictures)
Adblock+ [mozilla.org] plugin (fork with different features but similar purpose)
Adblock Filterset.G updater [mozilla.org] plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)

or NoScript> [mozilla.org] plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
FlashBlock [mozilla.org] plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),

or Gnash [gnashdev.org] GPL Flash player (GNU page [gnu.org]) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
SWFDec [freedesktop.org] GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
or not installing a Flash player at all and using SaveTube [savetube.com] to watch flashvideos.

I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.

Re:

[6Yankee]

Yeah, I have Flashblock, actually. Doesn't mean I don't know an ad when I see one (or its placeholder), you smug smartass.

Re:

[DrYak]

Doesn't mean I don't know an ad when I see one (or its placeholder)

You may be interested in the Adblock family of plugins, then : they completely remove the plugins and most other ad-related elements around them.
Not only is the ad gone, but it doesn't take up screen estate anymore.

You can also additionally try grease monkey for the last few "Advertisement :" labels that still resist to adblock.

Re:

[6Yankee]

Thank you for the helpful response this time round.

I manage pretty much OK with Flashblock and Firefox's own "block all images from..." option. Google ads and the like don't bother me particularly (except when someone styles them to look like navigation - that one got me yesterday).

My biggest worry with going down the Adblock route is whether sloppily-coded (i.e., most) layouts will break once the ads disappear. Have you had any problem with this?

Sloppily coded layouts

[DrYak]

Thank you for the helpful response this time round.

You're welcome.

My biggest worry with going down the Adblock route is whether sloppily-coded (i.e., most) layouts will break once the ads disappear. Have you had any problem with this?

Adblocks works by stoping access to external objects. Any object : <img>, <embed>, <object>, <script>, <frame>, <iframe>, etc.
Think of it as an upgraded "Block images from".

Almost any web site stores ads as an external object that is included

You're forgetting Privoxy

[Rob Simpson]

Privoxy: [privoxy.org]

"Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes."

Re:

[rm999]

Much simpler:
1. Get adplus+ for firefox
2. Select the easylist option when you restart firefox

I find this much easier to convince a n00b that it's really quite simple to never see ads again. Filterset.g is fine, but easylist is pretty damn good IMO and much more organized.

Linky ?

[DrYak]

Could you please post a link to your bug & patch ?
I might be interesting.

Thank you a lot.

Always So Negative

[eldavojohn]

I know a lot of people are going to find something to complain about with these new bugs--no, wait--features of our beloved and adored Adobe Flash plugin but I think we should turn these lemons into lemonade and recognize all the fun things people can do with a tool like a keystroke logger:

• Get an extremely accurate analysis of your words per minute in typing.
• Search through the log and double check that you correctly entered all of your banking account numbers, credit card and personal information on all of your internet forms.
• Do searches on the log to see if you ever accidentally typed "teh" and how many times that happened.
• Compare your Letter Frequency [wikipedia.org] to the standard featured in Edgar Alan Poe's The Gold Bug

As you can see, there are many fun & great things that one can do with the potential of these new key logging features.

</sarcasm>

Re:Always So Negative

[CaptainPatent]

Wow... and you typed that post at 55 words per minute!

Re:

[PitaBred]

I think the GPP was a joke, too. We really need some sarcasm tags here...

Re:

[monk.e.boy]

they should Open Source the player. That would solve most of their problems.

The only bit that is worth anything is the Flash IDE designer thingy.

If it was opensource it'd be a great stop gap between HTML + JS (now) and HTML + SVG + JS (future). It'd also help fight Silverlight, which is gunna take over the world if we aren't careful :-(

Any other ideas for spreading multi-media web without using Java (ugh) Flash (ugh) or Silverlight (hm...)?

monk.e.boy

Re:

[UbuntuDupe]

This sounds kind of like the "exploit" in Second Life, where you can script objects to listen for commands from users, which necessarily allows you to script listening bugs -- just have it listen for whatever people say near it, and IM the results back to you. I actually wrote a few of these and ended up finding out not-too-cool things people were saying about me.

Anyone know if they've fixed this somehow?

Re:

[Andrew Kismet]

That's impossible to 'fix' by the nature of the world. If you want an object to listen for another object, you set up a listener filtered to the other object's specific name or key. There's no permissions system for general chat beyond channels, and it'd be a MAJOR inconvenience if any object had to get permission from all parties within 96m of it to listen to them.
Speaking on channel 0 is identical to speaking in public; anyone can hear you, anyone can record what you're saying. It's still a legal violatio

Re:

[elrous0]

It's also a great way to let that cute hacker down the hall know that I HAVE A VERY LARGE PENIS.

Re:

[Chapter80]

55 Words per minute? Please don't type so fast, as I am a slow reader.

Time to update!

[Anonymous Coward]

Time to update Adobe Updater so it can download the new updates!

http://www.agavegroup.com/images/articles/adobeUpd ater.gif [agavegroup.com]

Does it effect Flash Lite/Wii users?

[Organic User]

Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?

Re:Does it effect Flash Lite/Wii users?

[EveryNickIsTaken]

This therefore begs the question.. Can a keystroke logger also log waggles?

Re:Does it effect Flash Lite/Wii users?

[AKAImBatman]

Does it effect Flash Lite/Wii users?

Since no one else will just answer the darn question, I will.

The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".

Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish. :)

Re:

[A_Non_Moose]

I don't know, perhaps that can be the next /poll:

Did the flash exploit affect you:

Shake your WiiMote side to side for "NO" and Up and down for "YES".

If the answer is being typed in for you by the exploiter...well choose the "Taco" option.

NoScript blocks Flash

[Matt Perry]

Once again NoScript [noscript.net] helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock [mozilla.org] is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.

That's all well and good for browsers.

[AltGrendel]

But what about spam? I know that most of us here wouldn't click the link. But I've seen spam that was supposed to be from bluemountain [bluemountain.com] that had this exploit in it. Of course the headers told a different story (it originated in Poland), but my point is that you've got the usual gang of idiots that will click any link in an email if they think "Oooo, Mom send me another e-card".

Re:

[illegalcortex]

Well, your first mistake would be having an email reader that displays active content. I know I have Thunderbird to show everything as plain text. It's not "pretty", but it's safe. Of course, for 99% of emails, "pretty" is completely unnecessary.

Re:

[Matt Perry]

I find it hard to believe that any email programs would be irresponsible enough to display active content in what is essentially a push medium. If your mail client can display anything beyond basic HTML, be it processing JavaScript or rendering Flash or ActiveX, I would highly recommend you turn those settings off. Better yet, I would recommend finding a safer mail client as executing this content would show they don't care about (or don't know about) security.

Re:

[jschottm]

I'm not sure Flashblock will help in this case. As far as I can tell, it goes back after the page has finished loading and removes the Flash rather than keeping it from loading in the first place. That could be easily be long enough for an exploit to take effect. I believe NoScript's Flash blocking would work but can't say for certain.

Monopoly

[plams]

The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.

It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight [wikipedia.org] will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.

Re:

[WIAKywbfatw]

Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight will give Flash a lot of healthy competition.

You're hoping that Flash will be displaced by Silverlight, a Microsoft offering? Seriously?

Say what you want about Adobe but at least Flash is available for more than Windows and OSX, which are the only two OSes that Silverlight will be available on.

Not only do Adobe produce Linux players, they also produce a Solaris player. Good luck trying to get either of

Re:

[plams]

I didn't say that I wanted Flash to be killed off by Silverlight just that I wanted the competition (I agree that may be a dangerous thing to wish for when the competition is Microsoft). Also, last I checked (when it was under the name WPF/E) Microsoft claimed they'd write a player for Linux too - they seem to have dropped that :(. On another note, I just discovered JavaFX which seems like an exciting 3rd contender. Too bad it's still in alpha, but open source competition for Flash is what I'm really lookin

Re:

[WIAKywbfatw]

No, as far as I'm aware, Microsoft haven't got a Linux player yet.

They've said that they'll develop the Windows and MacOS players first and then, at some time in the future, they'll eventually release a Linux player. Call me a cynic but I think that Linux player will either A) never see the light of day; or B) be very poorly coded and virtually unsupported.

But, to be honest, do you want browsers (and web developers) bogged down by even more stuff? Yet another file format that adds nothing to the party doesn

Re:

[tkdtaylor]

Did you miss the story posted here about Mono Coders Hack Linux Silverlight in 21 Days [slashdot.org]???

Re:

[TheRaven64]

Look at IE between killing off NetScape and FireFox becoming popular. Now compare that to IE when it had competition from NetScape and later FireFox. I don't want SilverLight to win, but I'd much rather Flash had some competition, because competition helps encourage innovation.

Re:

[Nimey]

When you gratuitously BiCapitalize you look like a WanKer.

Re:

[bozone]

Silverlight will give Flash a lot of healthy competition != will be displaced by Silverlight

I *think* the op believes that such competition will be beneficial to the end users ... having a choice often is... I may be wrong...

Good news, bad news

[Anonymous McCartneyf]

The good news: Adobe makes Flash players for Linux and Solaris.
The bad news: the keylogger bug on certain old Flash players (the one most of you seem the most worried about) is specific to the Linux and Solaris models. Windows and MacOS/OSX only got the other bugs.

The current alternatives....

[DrYak]

The currently under active development alternatives are :

• Gnash [gnu.org] - (project development page [gnashdev.org])
  an open-source project which develops a Flashplayer which can be run stand-alone, be swallowed inside web browser using appropriate plug-ins, or integrated in bigger project using extensions. Supports OpenGL and Cairo as hardware accelerated renderer. Also, has an option not to auto-start playing the flash crapnimations.
• SWFDec [freedesktop.org]
  an open-source library for decoding flash, which also comes with a browser plugin.

T

Speaking of other stuff appart from Flash

[DrYak]

You missed Moonlight [mono-project.com]

If we are speaking of technologies OTHER than flash, we may also mention SVG [wikipedia.org] which can be scripted for animations.
Either using a simple XML extension like SMIL for timing an animation (and producing something like old versions of Flash or vector equivalent of .MNGs),
or going for a Turing-complete language and use scripting like JavaScript with DOM (see the SVG Tetris [croczilla.com]).

Re:

[mad.frog]

writing shitty players with security holes

With so many security holes, there must have been lots of exploits that have taken advantage of them.... viruses spread via them, privacy data leaked, computers crashed.... right?

Only problem is, I can't seem to find much evidence online of that actually happening.

Maybe you could help me out by point me at such evidence?

Go ahead. I'll wait.

Evidence

[Anonymous McCartneyf]

Have you read the fine article?
If Adobe is openly fixing security holes, then there likely were security holes.

You're right. Sort of.

[Qbertino]

Flash is a monopoly. More or less. But it's a monopoly that doeshn't suck as much as IE. In fact, I'm sure, as soon as a product shows up that is better than Flash, Flash will use marketshare inmediately. Flash gained it's position because it really *is* the best solution at hand for the stuff it's used for.
But as it's still the single most widespread plattform on the end-user internet available and the only MM plattform that runs on all major deskstop OSes it will remain at the top. And for good reasons to

Re:

[gaspyy]

writing shitty players with security holes

To be honest, this is only the second time a vulnerability has been discovered in Flash. The first time was about 7 years ago with the undocumented "save" fscommand, which allowed someone to make a proof-of-concept virus that could in theory propagate through locally-stored swf files.

they're still software rendering graphics in year of 2007

They've added some hardware-rendering for video, but it's granted that it's almost inexcusable not to have even an experimental,

Flash Player 9 is NOT affected by keystoke logging

[Anonymous Coward]

From the article: "In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected."

Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.

Re:Flash Player 9 is NOT affected by keystoke logg

[IvyKing]

What kind of sucks is that Flash 9 for Solaris is only available for Solaris 10, though there may be a way of getting the necessay libraries on Solaris 9. OTOH, Solaris 10 has enough advantages for desktop users (who would need Flash on a server?) so that's not a huge limitation.

There are some issues with Flash video on Mozilla 1.7 on Sparc, which do not occur with Firefox on Sparc.

Re:

[Anonymous McCartneyf]

The Windows vs. don't appear to be affected by keyloggers, either.

Confusing Product Names

[Anonymous Coward]

So I have a Flash player that acts as a plugin in my browser, right? Or is it called a Shockwave Flash player? No wait it's called "Adobe Flash Player", but I can't seem to find a version number, so I can't tell if I'm vulnerable.

So what the hell was "Shockwave", then? How is it different from "Flash" and is "Shockwave" vulnerable too?

Whoever was in charge of branding this crap should be bulldozed into a septic system.

Re:Confusing Product Names

[AKAImBatman]

Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")

In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.

Re:"Shockwave" is still in the URL and Product Nam

[Val314]

And I'm not having any luck finding anywhere at tells me what version of the plugin (ActiveX Control?) I'm currently running, so now I have to walk to each and every machine in the domain and install the latest manually.

see here: http://www.macromedia.com/software/flash/about/ [macromedia.com]

Re:

[Volante3192]

http://www.howstuffworks.com/web-animation6.htm [howstuffworks.com]

Shockwave can support Flash, but Flash can't do everything Shockwave can...and Flash is cheaper. Flash probably started life as a shockwave lite. Course, doesn't help that Flash's file suffix is 'swf' which is 'shockwave flash.'

Quality

[Reality Master 101]

You know, to be fair to Flash, I have to say that it's an incredibly well-written application overall. It's very small to download and it works very well. Heck, they actually made video consistently work on the Internet! I think you can make an argument that they are solely responsible for making video sites like YouTube viable. All video STILL sucks except for Flash.

Of course, the quality of Flash is a different question from how it's abused. :) [personally, I don't mind Flash all that much.]

Re:

[Anonymous Coward]

So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up. [mozilla.org]

That's some "Real Quality Software" right there and it's great that flash is so instrumental in furthering the promise of an open, accessible web. How I wish every web page was a chunk of executable bytecode.

Re:

[Reality Master 101]

So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up.

Portability (which has multiple dimensions) is not a measure of quality, it is a design goal that may or may not be part of the goals of a project.

Re:

[Jeffrey Baker]

If an application cannot simply be recompiled on a 64-bit host then it is programmed incorrectly. End of story.

Re:Quality

[Mister Whirly]

You sir, are not a programmer. End of story.

Bad goals...

[DrYak]

Portability (which has multiple dimensions) is not a measure of quality, it is a design goal that may or may not be part of the goals of a project.

At a time when everything, including your fridge, strives to be web-enabled, I think not taking into account portability when designing a piece of code which the company hopes will take over the world as the standard format for interactive content, is a clear demonstration of short-sightness and bad design.

Also, there are no rational argument why a well designed

Re:

[mad.frog]

The purpose of Tamarin wasn't to support 64-bit platforms. (In fact, it's still not 64-bit compliant, though work on that is underway. Want to help out?) It was written because the old scripting engine was slow and cranky and it was easier to write a new one than patch the old one.

And yeah, 64-bit compliance isn't rocket science, but it isn't free either, especially when you're writing a JIT that has to generate the proper assembly code... it's a nontrivial amount of engineering and testing time.

Since the r

Re:

[mad.frog]

Ah, ok.

It's in a usable state now, as long as you don't need 64-bit :-)

As mentioned before, contributors to 64-bit work would be welcomed...

Re:

[mad.frog]

What about the SpiderMonkey integration work, how's that going?

Not sure. You should ask someone at Mozilla.

Re:

[TheRaven64]

There are a few projects that really show up Java. One is Flash. Another is Squeak, which manages to run Smalltalk fast enough that you can run video CODECs written in Smalltalk on it even on slightly old hardware. I think the Squeak team really dropped the ball on the whole web thing; a Squeak plugin could have been an incredible platform for rich client-side development (Squeak is still one of the best development environments around), but they concentrated on desktop replacement instead.

Re:

[Peganthyrus]

Sadly this quality does not extend to the program one uses to create it. The editor is prone to trashing your source files every so often.

Re:

[Lord Ender]

Flash ... actually made video consistently work on the Internet!

Obviously, you aren't running a 64-bit-native version of Linux. This is either because:

• You have a really old computer
  
• You are wasting processing power running a 32-bit version of Linux on a new CPU
  
• You are running Windows or OSX, in which case you aren't qualified to comment on the relative coolness of technologies :-)

Re:

[IvyKing]

Obviously, you aren't running a 64-bit-native version of Linux.

Not sure if that is more of an indictment of Linux or Flash. Flash runs fine on 64 bit Solaris - but 64 bit Solaris apparently does a better job of running 32 bit binaries than Linux.

Re:

[whoever57]

I have a 64-bit-native Linux desktop. Flash works on it, through the magic of nspluginwrapper.

Re:

[PitaBred]

Seconded. And Flash 9 works perfectly in Konqueror and Firefox, no sound issues or anything.

Re:

[hcdejong]

All video STILL sucks except for Flash.

No, video STILL sucks, especially Flash. At least other formats I can force to play in VLC, which has a relatively non-sucky UI. The Flash player seems to be designed to offer no control at all, which is bloody annoying.

Re:

[klui]

I used to hate Flash video until YouTube, Google, and all the popular sites implemented a volume control. There are still sites that don't have a control and audio comes through at full blast, regardless of what my Sound control panel is set at. How lame is that?

Back in the old days...

[TheTranceFan]

You know, back in the old days we only had linear keystrokes, and they worked fine for us. Now it's all about the log keystrokes with the kids these days.

World's going to hell.

Did anyone read the article?

[popo]

This isn't a bug in the latest flash plugin... only older ones.

I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.

Re:

[stefanlasiewski]

This isn't a bug in the latest flash plugin... only older ones.

There are two exploits [secunia.com].

Version 9.0.45 (which was released in April 2007?) is still subject to buffer overflows. However, it's not vulnerable to the keystroke logging problem.

Re:

[Farmer Tim]

Version 9.0.45 (which was released in April 2007?) is still subject to buffer overflows.

Perhaps that would explain why the current version is 9.0.48 (Linux) and 9.0.47 (Windows/Mac).

Re:

[Penguin Programmer]

I for one love the fact that Flash still represents one of the few uniform platforms on the interweb with extremely limited cross-browser issues.

Sure, it's a uniform platform if you use one of the platforms Adobe/Macromedia deems worthy of a Flash plugin. If that's your definition of a uniform platform, then MS Office is a uniform platform as well - anyone with MS Office installed can view the documents and they look great!

Keystrokes from flash apps?

[Nazlfrag]

Down left down down space space right up space space space space esc

Positive thinking

[TheDarkener]

Not that this security hole has much at all to do with it, but I strongly believe in positive thinking.

Maybe if we all chant, they will hear us.

Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.

Re:

[Penguin]

Wow! you actually created a text mode version of a typical flash ad...

Re:

[TheDarkener]

I disagree - nowhere in the text did I mention Bonzai Buddy, free iPods OR how big J-Lo's butt is.

Why doesn't this post link to Adobe?

[snsr]

Maybe it's my hang-over, but linking to a flash embedded page (as mentioned above) and having to click again to get to the fix is annoying. /bitch

Is the ActiveX affected?

[smooth wombat]

We don't allow people to install Flash on their systems here at work but we do provide the ActiveX component to run Flash. Is it affected as well? The article doesn't say.

Personally, I don't run Flash. Time and again it has been shown to be a security risk and these new developments only strengthen that perception.

Re:

[FranTaylor]

Exactly.

"We don't let people bring shotguns to work, but pistols are okay".

AMD64

[Sunshinerat]

Does Anybody know if the 64 bit Linux version is also affected?

Oh wait...

MvE

Grrr....

[mdsolar]

But at least the linux version number is higher that the others. This is as it should be. Develop for linux first then port to the less important OSs.
--
Rent solar power with no installation cost: http://mdsolar.blogspot.com/2007/01/slashdot-users -selling-solar.html [blogspot.com]

Plug for Flashblock

[spottedkangaroo]

I've been using flashblock [mozdev.org] since the very first time (almost 8 years ago) flash scared the shit out of me with unexpected and LOUD sounds from an ad.

Nowadays I'm surprised how many tracking gadgets are embedded on otherwise ordinary looking pages and I'm sure to clean out my macromedia shared object folder form time to time...

The nice thing about flashblock is the ease with which I can play flash games and watch youtube videos -- when I'm in the mood to click through. Personally, I think something lik

Re:

[deek]

I second the recommendation about flashblock. I've been using it for years myself, not because I've been worried about any flash issues, but because it stops those garish flash ads, and obnoxious flash sites. It seems that most flash designers prefer showy designs, rather than usable ones. Therefore, I prefer not to show flash.

Re:

[spottedkangaroo]

I fail to see how the sandbox keeps people from logging your surfing habits and building a database that forwards the intersting details to a 3rd party...

That's the part that scares me: the staggering volume of information tracking companies have on me, what I buy, what I read, and where my mouse typically rests on the screen.

Ever read any of the js in those ads? They really do track your mouse movements. They send the details back by loading one pixel "images" and other tric

Re:

[mlts]

I delete the directory that the Flash player stores its shared objects in, and create a file with the exact same name. Now, Flash works normally, but sites that try to store persistant stuff when they shouldn't are totally blocked from doing so.

Misleading headline

[mad.frog]

More accurate would be "Adobe Issues Fixes For Flash Exploit That Could Log Keystrokes"...

Headline implies that exploits were just found and still exist. Not so.

Alternatives

[Trogre]

Okay people it's time we started seriously contributing to the Gnash project so people who want flash content have some alternative to run it on.

Re:Can't trust 'em

[also-rr]

If you don't trust adobe you could always install the open source Flash plugin swfdec [sf.net]. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.

Re:Can't trust 'em

[X0563511]

Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page [sourceforge.net] and let us choose to go to the homepage ourselves rather than fight with sf.net.

Re:

[Touvan]

This is very interesting. Like the Java clones before it, this project (swfdec), and gnash show how popular closed source projects have their own way of encouraging something similar to the dreaded "forking" that corporations fear so much. What's interesting about Java is that opening the source seems to have reversed that trend, and we now see some attempts to unify the many Java code bases.

I wonder if Adobe will figure that out, and open up Flash Player some more.

Re:

[Constantine XVI]

I believe the buttons on the Wiimote map to a few keys (for use in Flash games) and the pointer just picks up as a mouse. That's about it.

Re:

[AKAImBatman]

I believe the buttons on the Wiimote map to a few keys (for use in Flash games)

Actually, the keypresses only make it as far as Javascript. In order to "hear" the presses in Flash, you need to use the WiiCade API [wiicade.com], which traps all the keypresses and forwards them to Flash. There's also the earlier Quasimondo API [quasimondo.com], but it fails to trap the keypresses, making it useless under most circumstances.

Re:

[SpaceLifeForm]

If it can be exploited to run arbitrary code,
that arbitrary code could be a key logger.