Adobe Flash Exploit Could Log Keystrokes 156
Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."
Great... (Score:5, Funny)
Re: (Score:1, Insightful)
Re:Great... (Score:5, Insightful)
Re: (Score:1, Funny)
Re: (Score:2)
Re:Great... (Score:5, Informative)
There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.
Re: (Score:2)
Full Article (Score:3, Informative)
By Dawn Kawamoto [mailto], CNET News.com
16/07/2007
URL: http://www.zdnetasia.com/news/security/0,39044215, 62028443,00.htm [zdnetasia.com]
Adobe has issued three critical security updates [adobe.com], one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.
Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.
Users
Re: (Score:1)
Sorry, a *what" ? (Score:4, Informative)
Sorry a Flash-what ?
Oh, it must be one of those things we are missing, as users of :
Adblock [mozilla.org] plugin (stops ads, be it Flash, Javascript or plain pictures)
Adblock+ [mozilla.org] plugin (fork with different features but similar purpose)
Adblock Filterset.G updater [mozilla.org] plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)
or NoScript> [mozilla.org] plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
FlashBlock [mozilla.org] plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),
or Gnash [gnashdev.org] GPL Flash player (GNU page [gnu.org]) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
SWFDec [freedesktop.org] GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
or not installing a Flash player at all and using SaveTube [savetube.com] to watch flashvideos.
I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.
Re: (Score:2)
Re: (Score:2)
You may be interested in the Adblock family of plugins, then : they completely remove the plugins and most other ad-related elements around them.
Not only is the ad gone, but it doesn't take up screen estate anymore.
You can also additionally try grease monkey for the last few "Advertisement
Re: (Score:2)
I manage pretty much OK with Flashblock and Firefox's own "block all images from..." option. Google ads and the like don't bother me particularly (except when someone styles them to look like navigation - that one got me yesterday).
My biggest worry with going down the Adblock route is whether sloppily-coded (i.e., most) layouts will break once the ads disappear. Have you had any problem with this?
Sloppily coded layouts (Score:2)
You're welcome.
Adblocks works by stoping access to external objects. Any object : <img>, <embed>, <object>, <script>, <frame>, <iframe>, etc.
Think of it as an upgraded "Block images from".
Almost any web site stores ads as an external object that is included
You're forgetting Privoxy (Score:2)
"Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes."
Re: (Score:2)
1. Get adplus+ for firefox
2. Select the easylist option when you restart firefox
I find this much easier to convince a n00b that it's really quite simple to never see ads again. Filterset.g is fine, but easylist is pretty damn good IMO and much more organized.
Linky ? (Score:2)
I might be interesting.
Thank you a lot.
Always So Negative (Score:5, Funny)
</sarcasm>
Re:Always So Negative (Score:5, Funny)
Re: (Score:2)
Re: (Score:2, Insightful)
they should Open Source the player. That would solve most of their problems.
The only bit that is worth anything is the Flash IDE designer thingy.
If it was opensource it'd be a great stop gap between HTML + JS (now) and HTML + SVG + JS (future). It'd also help fight Silverlight, which is gunna take over the world if we aren't careful :-(
Any other ideas for spreading multi-media web without using Java (ugh) Flash (ugh) or Silverlight (hm...)?
monk.e.boy
Re: (Score:3, Interesting)
Anyone know if they've fixed this somehow?
Re: (Score:2)
Speaking on channel 0 is identical to speaking in public; anyone can hear you, anyone can record what you're saying. It's still a legal violatio
Re: (Score:2)
Re: (Score:2)
Time to update! (Score:3, Funny)
http://www.agavegroup.com/images/articles/adobeUp
Does it effect Flash Lite/Wii users? (Score:4, Informative)
Re:Does it effect Flash Lite/Wii users? (Score:5, Funny)
Re:Does it effect Flash Lite/Wii users? (Score:5, Informative)
Since no one else will just answer the darn question, I will.
The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".
Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish.
Re: (Score:2)
Did the flash exploit affect you:
Shake your WiiMote side to side for "NO" and Up and down for "YES".
If the answer is being typed in for you by the exploiter...well choose the "Taco" option.
NoScript blocks Flash (Score:5, Informative)
That's all well and good for browsers. (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Monopoly (Score:4, Informative)
The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.
It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight [wikipedia.org] will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.
Re: (Score:2, Insightful)
You're hoping that Flash will be displaced by Silverlight, a Microsoft offering? Seriously?
Say what you want about Adobe but at least Flash is available for more than Windows and OSX, which are the only two OSes that Silverlight will be available on.
Not only do Adobe produce Linux players, they also produce a Solaris player. Good luck trying to get either of
Re: (Score:2)
Re: (Score:2)
They've said that they'll develop the Windows and MacOS players first and then, at some time in the future, they'll eventually release a Linux player. Call me a cynic but I think that Linux player will either A) never see the light of day; or B) be very poorly coded and virtually unsupported.
But, to be honest, do you want browsers (and web developers) bogged down by even more stuff? Yet another file format that adds nothing to the party doesn
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Silverlight will give Flash a lot of healthy competition != will be displaced by Silverlight
I *think* the op believes that such competition will be beneficial to the end users ... having a choice often is... I may be wrong...
Good news, bad news (Score:2)
The bad news: the keylogger bug on certain old Flash players (the one most of you seem the most worried about) is specific to the Linux and Solaris models. Windows and MacOS/OSX only got the other bugs.
The current alternatives.... (Score:2)
an open-source project which develops a Flashplayer which can be run stand-alone, be swallowed inside web browser using appropriate plug-ins, or integrated in bigger project using extensions. Supports OpenGL and Cairo as hardware accelerated renderer. Also, has an option not to auto-start playing the flash crapnimations.
an open-source library for decoding flash, which also comes with a browser plugin.
T
Speaking of other stuff appart from Flash (Score:2)
If we are speaking of technologies OTHER than flash, we may also mention SVG [wikipedia.org] which can be scripted for animations. .MNGs),
Either using a simple XML extension like SMIL for timing an animation (and producing something like old versions of Flash or vector equivalent of
or going for a Turing-complete language and use scripting like JavaScript with DOM (see the SVG Tetris [croczilla.com]).
Re: (Score:2)
With so many security holes, there must have been lots of exploits that have taken advantage of them.... viruses spread via them, privacy data leaked, computers crashed.... right?
Only problem is, I can't seem to find much evidence online of that actually happening.
Maybe you could help me out by point me at such evidence?
Go ahead. I'll wait.
Evidence (Score:2)
If Adobe is openly fixing security holes, then there likely were security holes.
You're right. Sort of. (Score:2)
But as it's still the single most widespread plattform on the end-user internet available and the only MM plattform that runs on all major deskstop OSes it will remain at the top. And for good reasons to
Re: (Score:2)
To be honest, this is only the second time a vulnerability has been discovered in Flash. The first time was about 7 years ago with the undocumented "save" fscommand, which allowed someone to make a proof-of-concept virus that could in theory propagate through locally-stored swf files.
They've added some hardware-rendering for video, but it's granted that it's almost inexcusable not to have even an experimental,
Flash Player 9 is NOT affected by keystoke logging (Score:5, Informative)
Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.
Re:Flash Player 9 is NOT affected by keystoke logg (Score:2)
There are some issues with Flash video on Mozilla 1.7 on Sparc, which do not occur with Firefox on Sparc.
Re: (Score:2)
Confusing Product Names (Score:1)
So what the hell was "Shockwave", then? How is it different from "Flash" and is "Shockwave" vulnerable too?
Whoever was in charge of branding this crap should be bulldozed into a septic system.
Re:Confusing Product Names (Score:5, Informative)
In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.
Re:"Shockwave" is still in the URL and Product Nam (Score:3, Informative)
see here: http://www.macromedia.com/software/flash/about/ [macromedia.com]
Re: (Score:1, Redundant)
Shockwave can support Flash, but Flash can't do everything Shockwave can...and Flash is cheaper. Flash probably started life as a shockwave lite. Course, doesn't help that Flash's file suffix is 'swf' which is 'shockwave flash.'
Quality (Score:3, Interesting)
You know, to be fair to Flash, I have to say that it's an incredibly well-written application overall. It's very small to download and it works very well. Heck, they actually made video consistently work on the Internet! I think you can make an argument that they are solely responsible for making video sites like YouTube viable. All video STILL sucks except for Flash.
Of course, the quality of Flash is a different question from how it's abused. :) [personally, I don't mind Flash all that much.]
Re: (Score:2, Interesting)
That's some "Real Quality Software" right there and it's great that flash is so instrumental in furthering the promise of an open, accessible web. How I wish every web page was a chunk of executable bytecode.
Re: (Score:3, Insightful)
So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up.
Portability (which has multiple dimensions) is not a measure of quality, it is a design goal that may or may not be part of the goals of a project.
Re: (Score:2)
Re:Quality (Score:4, Insightful)
Bad goals... (Score:2)
At a time when everything, including your fridge, strives to be web-enabled, I think not taking into account portability when designing a piece of code which the company hopes will take over the world as the standard format for interactive content, is a clear demonstration of short-sightness and bad design.
Also, there are no rational argument why a well designed
Re: (Score:2)
And yeah, 64-bit compliance isn't rocket science, but it isn't free either, especially when you're writing a JIT that has to generate the proper assembly code... it's a nontrivial amount of engineering and testing time.
Since the r
Re: (Score:2)
It's in a usable state now, as long as you don't need 64-bit
As mentioned before, contributors to 64-bit work would be welcomed...
Re: (Score:2)
Not sure. You should ask someone at Mozilla.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Obviously, you aren't running a 64-bit-native version of Linux. This is either because:
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, video STILL sucks, especially Flash. At least other formats I can force to play in VLC, which has a relatively non-sucky UI. The Flash player seems to be designed to offer no control at all, which is bloody annoying.
Re: (Score:2)
Back in the old days... (Score:5, Funny)
World's going to hell.
Did anyone read the article? (Score:5, Informative)
I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.
Re: (Score:2)
There are two exploits [secunia.com].
Version 9.0.45 (which was released in April 2007?) is still subject to buffer overflows. However, it's not vulnerable to the keystroke logging problem.
Re: (Score:2)
Perhaps that would explain why the current version is 9.0.48 (Linux) and 9.0.47 (Windows/Mac).
Re: (Score:2)
Sure, it's a uniform platform if you use one of the platforms Adobe/Macromedia deems worthy of a Flash plugin. If that's your definition of a uniform platform, then MS Office is a uniform platform as well - anyone with MS Office installed can view the documents and they look great!
Keystrokes from flash apps? (Score:2)
Positive thinking (Score:3, Funny)
Maybe if we all chant, they will hear us.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Adobe will open-source flash.
Yes.
Re: (Score:2)
Re: (Score:2)
Why doesn't this post link to Adobe? (Score:1)
Is the ActiveX affected? (Score:3, Insightful)
Personally, I don't run Flash. Time and again it has been shown to be a security risk and these new developments only strengthen that perception.
Re: (Score:2, Funny)
"We don't let people bring shotguns to work, but pistols are okay".
AMD64 (Score:4, Funny)
Does Anybody know if the 64 bit Linux version is also affected?
Oh wait...
MvE
Grrr.... (Score:2)
--
Rent solar power with no installation cost: http://mdsolar.blogspot.com/2007/01/slashdot-user
Plug for Flashblock (Score:2)
Nowadays I'm surprised how many tracking gadgets are embedded on otherwise ordinary looking pages and I'm sure to clean out my macromedia shared object folder form time to time...
The nice thing about flashblock is the ease with which I can play flash games and watch youtube videos -- when I'm in the mood to click through. Personally, I think something lik
Re: (Score:2)
Re: (Score:2)
That's the part that scares me: the staggering volume of information tracking companies have on me, what I buy, what I read, and where my mouse typically rests on the screen.
Ever read any of the js in those ads? They really do track your mouse movements. They send the details back by loading one pixel "images" and other tric
Re: (Score:2)
Misleading headline (Score:3, Insightful)
Headline implies that exploits were just found and still exist. Not so.
Alternatives (Score:2)
Re:Can't trust 'em (Score:5, Informative)
Re:Can't trust 'em (Score:4, Informative)
Re: (Score:2, Interesting)
I wonder if Adobe will figure that out, and open up Flash Player some more.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Actually, the keypresses only make it as far as Javascript. In order to "hear" the presses in Flash, you need to use the WiiCade API [wiicade.com], which traps all the keypresses and forwards them to Flash. There's also the earlier Quasimondo API [quasimondo.com], but it fails to trap the keypresses, making it useless under most circumstances.
Re: (Score:2)
that arbitrary code could be a key logger.