Even Flash Can Get Viruses 277
Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926.
It consists of a Macromedia Flash movie and seems to be the first of its kind.
It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files.
Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
McAfee (Score:5, Informative)
Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.
Just proof of concept really.
Re:McAfee (Score:1, Redundant)
this one was probably just a test, although i am guessing they did not want to on the radar until they had a bigger badder version that affected all OS's.
my $.02
Re:McAfee (Score:2, Interesting)
It's probably a minor change for Win9x/WinMe.
I don't know anything about the Flash scripting language - but it is using OS tools to do the actual infection of other files...this makes it less likely to be very cross-platform.
Re:McAfee (Score:1)
Re:McAfee (Score:2, Informative)
Re:McAfee (Score:2)
Limited, how? Most viruses don't try to reformat drives or get r00t. Is it not within the average Linux/UNIX user's power to send an email, or create/modify a file? That's all that's needed to spread the modern virus. Don't kid yourself that a Linux virus can't do damage. Most Outlook users aren't logged in as Administrator either, yet those viruses still did real damage, in terms of bandwidth and email noise.
Re:McAfee (Score:3, Insightful)
Unfortunately, EVERYTHING that is important is under that account. Everything that's NOT under the account was installed from my Debian CD's.
Limited damage means limited only to the most important files on my machine in this case.
That vulnerability is purely theoretical... (Score:5, Funny)
Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake [atstake.com]
Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?
Looks like it isn't very likely to succeed
LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.
I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.
I'm also sure I'm wrong.
Re:That vulnerability is purely theoretical... (Score:2)
No, of course not. They'll be attacked in new and interesting ways.
I'm also sure I'm wrong.
Aren't we all. Nice to see someone admit it though
Re:I Am Very Confused - Y2k bug Again? (Score:2)
That was a virus which propogated using a file perported (i.e. had a subject line and fake file extension) to be a SWF but was actually an ordinary virus (EXE/VBS/WhoCares). This new one is actually a SWF which can use the scripting features within the SWF viewer.
Apples and pears, mate. Consider yourself lucky you've been replied to not down-modded.
Phil
Let's Just Pray That We Can't Get Foot & Mouth (Score:2, Funny)
Cross Platform? (Score:2, Interesting)
Re:Cross Platform? (Score:3, Informative)
Re:Cross Platform? (Score:1)
Someone has found a way to make Flash act outside the boundaries of its sandbox, and this should make everyone worry.
At least a little bit.
Build it, and they will... (Score:5, Funny)
Cheers,
Ethelred
Small but important addition (Score:2)
haven't you learned yet... (Score:2)
We all know who They. We all understand that. No need to protect their so-called "innocence" by playing the pronoun game. They are making the viruses; They are bringing evil into our hearts; They are holding us down.
Protest against The Man, I will not let The Man hold me down!
It may be readable but this is in english (Score:3, Informative)
Sorry, ./ mangled my url (Score:2, Informative)
translation (Score:3, Informative)
What do you expect? (Score:1, Flamebait)
People can do some cool things with Flash, yes. They can also do many annoying things, and finally they can do some dangerous things, as evidenced by this article.
Yet another victory for Lynx users. When was the last time you heard of a terminal-based text-only browser bringing down a Unix system? ;)
two classes of files: (Score:1, Interesting)
unsafe files: vbs, exe,
I cannot comprehend the shift towards risk (macros in
Re:two classes of files: (Score:3, Insightful)
If there's a buffer overflow in the program rendering it, it could very well be an infectious file.
Re:two classes of files: (Score:3, Informative)
Additionally there are quite some different gif and jpg parsers out there, but the number of usefull Flash-Players is rather limited (1 comes to my mind). So if you'd be able to make a gif file that runs arbitary code on the machine that views it, it would most probably be targeted only on this gif-reader software (and this version, and this platform, and
And I think the checks form alformed GIF and JPEGs are rather strict in most image-loading libraries, 'cause defect GIFs and JPEGs are known to exist.
Why Infect Flash? (Score:2, Insightful)
Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?
I'm clueless here. Help me out.
Re:Why Infect Flash? (Score:2, Offtopic)
Although the worm does not delete files, it can clog e-mail networks and take e-mail servers offline. Cleaning up files that have been relocated and renamed could also waste considerable man hours, Nolan said.
like most viri written by 1337 script kiddies, the real aim appears to create confusion and waste people's time/money. the "I Love You" virus didn't have a real payload, but boy did it do a job on the mail servers of many corporation. several friends' companies lost several days of work b/c their employees like to click EXEs. this will be the same. plenty of people send funnies with SWF files - with the virus infecting via that cute pink icon, expect plenty of people to click away.
Re:Why Infect Flash? (Score:2)
Take a look at the corolation between virus companies stocks, and the discovery of new virus.
Re:Why Infect Flash? (Score:2)
Well my guess would be this person is as sick of flash being abused by websites for annoying ads as I am. I'd love to be able to tell MSIE to remove Flash and never re-install it, but this seems impossible. Maybe if we get firewall-level blocking of Flash due to this virus, I might be happy.
Re:Why Infect Flash? (Score:2)
It infects other SWF files, but this really just means that it can do whatever it wants, including becoming an attack not traceable to the actual source.
Re:Why Infect Flash? (Score:2)
I'm sure most of the virus authors nowadays still have the same mentality. I don't think they do it for some pragmatic reason. Just because they can. It's the stupidity in its pure form.
Proof of Concept (Score:2)
I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).
On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."
Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.
Why Infect Acrobat? (Score:2)
What was the first macrovirus called? The Concept [sc.edu] virus. I imagine thats not really a coincidence. It was proof that you can implement a fairly complex algorithm on a fairly simple system.
If viruses weren't so destructive, it'd be pretty darn impressive - and it probably is for the sociopaths who design viruses. Its like putting a 3-d rendering engine on a TI-85 calculator. As it is, I wish they'd just make the viruses and keep them to themselves as theoretical ideas except when they can serve some useful purpose.
So...how about some useful flash stuff? I'd like to see some of these fairly difficult ideas implemented in flash:
A 3-d polygon based fighting game
A C compiler (or some other high-level language compiler)
A database
An emulator of some old, archaic system
Those would be way more newsworthy than a virus, IMHO. Anybody heard of any of those in Flash?
Yow (Score:1, Flamebait)
We've seen it before and we'll see it again.
For this reason, please do the following:
DO NOT support sites that use Flash
DO NOT support sites that use Java
DO NOT support sites that use ECMAscript
DO NOT support sites that use Quicktime
And the same for other plugins! Plain HTML is the only safe alternative.
Re:Yow (Score:1)
DO NOT support sites that use Java
DO NOT support sites that use ECMAscript
DO NOT support sites that use Quicktime
So in other words, you don't like a god damn soul... :-/ ;-)
Re:Yow.... really.... (Score:2, Offtopic)
Any you truly believe that plain, boring, run-of-the-mill HTML is what has brought grandma, grandpa, your niece, and Ubu the dog onto the internet?
High-level scripting languages like Flash, Java, JavaScript, etc., have brought the Internet into a "slicker" dimension... one that appeals to the masses rather than just technodweebs.
Ok, so you say: "Why do I care if they've made the Internet popular with the masses? Fsck 'em, the Internet is made for technodweebies like me anyways!"
Why do you think you can get broadband for $40/mo instead of having to get a T1 at $800/mo? Why do you think you can get $400 off your next computer when you sign up for online access? Why do you think computer prices are falling rapidly and performance is growing just as quick? None of that would be happening if computers, driven by the desire for the Internet, weren't booming.
{/rant}
MadCow
Re:Yow.... really.... (Score:2)
The Web has long ceased to be a place of any interest for most people - at least outside of ebay.
Re:Yow.... really.... (Score:2)
Flash in particular seems to coincide with either content-free sites, or incomprehensible "artistic" navigation. Java and Javascript I don't have a particular grudge against, apart from speed (Java) and security (Java and JavaScript) issues.
Anyway, I can't get broadband for $40/mo, and last time I looked, there was a fairly significant downturn in the last 18 months in the PC market.
you date yourself (Score:2)
And it's plain old boring HTML that still brings them online. The most visited sites don't use those bullshit technologies to tart up their sites. They have reasons that people go there, and it's not just to say "ooh, pretty".
Your argument is absurd. It's like claiming that a man pays to be with a whore because he admires her makeup.
Re:Yow (Score:1)
Worlds over I'm going back just to reading books and writing my code on a legal pad with a pencil and having someone else type it in.
Re:Yow (Score:2, Insightful)
The bottom line is that Flash is not an effective tool for creating websites. This is what HTML was designed for. With Flash, there are two things that particularly get my goat:
- you can't right-click a link and open it in the background (as I do often with Opera), in order to check out several areas of the site at once. This may sound like something that broadband users would complain about the most, because they can load several pages in parallel quickly, but actually it's something that I find not only helpful for efficiency, but necessary for my sanity as a dialup user, because if I had to click every page in serial I would spend so long waiting for the single page I can view to load that I'd stop using the internet altogether
- the second thing is that Flash sites are typically rendered at 640x480 or 800x600 to cater for users with low-end monitors, and cannot be resized (afaik, ianal, blah blah) because a Flash file is effectively a bunch of raster images bunged together. This means that this stupid little website is sitting in the middle of my 1152x864 screen, with an enormous blank space around it. Some people even do this with html for some completely unknown reason; for a good example of a site that uses both Pointless Flash(TM) for a Pointless Entrypage(TM) and Huge Blank Spaces(TM) check out the personal website [bigbadmatrix.com] of someone I don't like very much. I'm sure those people with 21" monitors and 2080x1024 screen resolutions know far better than I what I am talking about
To be fair, there are sites that use Flash as a banner animation at the top, and it doesn't get in the way and is merely decorative, and that's fine, it's attractive and enhances the site. A good example of this is NZ Gamer Forums [gamer.net.nz], and an example of a site that is annoying in its use of a complete Flash "gui" is its parent site [gamer.net.nz]. Yes, it's well-laid out and attractive, but just for starters, try entering your name into the "username" section. If you touch-type like I do, you'll very quickly get over how the animations when you enter a character are neet, and pretty quickly discover how they're very irritating. The sounds, too, are annoying to me. Basically, I think this website could have been made to look similar simply using HTML, and it would have loaded far more quickly (it took a good three minutes to load on my 56k--more than I'm normally willing to wait).The Forums are an example of Flash used in moderation, and JavaScript used in debatable moderation. I have no problem with it; it does add to the site having those tables light up blue, but it's also not particularly necessary. Mostly the site is very usable, and while there are a lot of images, it doesn't take a hugely long time to load. I think the person who designed the gamer.net.nz site and subsites needs a lesson in accessibility, because his sites are great if you can run Flash and feel like waiting for all the images to load, but get a browser like Opera 6, assume you don't have the flash plugin, and disable images so it loads faster, and you'll get a broken frontpage, and semi-broken threads in the forums because you have to use the horizontal scroll so much--the only thing this guy knows how to do is eye-candy.
The only real gripe I have against JavaScript is the open() function. A lot of people seem to think it's a really great idea to have links open in a new window using this function. I'm all for opening in a new window; I do it on my site [dnip.net] all the time--and you'll notice I use basic JavaScript for the image rollovers in the title, because they markedly add to the visual effect of the site without increasing much in the download time. But hey, there's already this great attribute called "target" in the <a> tag! Use it! I loathe sites where I right-click, open a window in the background without checking its exact href in the status bar of my browser, and going back to it a few seconds later expecting it to have loaded and finding a blank page with "javascript:open(window.crap)" in the address bar.
Just my little rant. Please mod down accordingly.
Scripting Security (Score:3, Interesting)
Re:Scripting Security (Score:2)
Re:Scripting Security (Score:2)
Right. But a scripting language, that can't get out of its sandbox is rather useless (except for some special cases like Flash). A scripting language without a sandbox is of course much worse.
But there are two ways a script can get out of a sanbox (in some languages there is only one ...):
As I said a scripting language without a official way out of the Sandbox is rather limited. In Java (not strictly a scripting language, but the Sandbox I'm most familiar with) an Applet can escape the Sandbox if it is both signed and gets the permission by the user (the signing part can be skiped, but therefore you have to modify client settings). We all know that the permission of the user is only a problem of social engineering and virus authors are pretty good in this (or at least good enough for Joe Outlook-User out there).
The signing part is actually quite good. A virus author would have to get a valid, certified key from an Certification Aurthority (like Verisign) and sign the Virus with this key ... well, this obviously would be stupid, except if he is planing to find out about live in prison pretty fast.
Now the really big problems arise when a [scripting] language allows a script/program to escape the sandbox, when it is not sign (or is sign with a self-signed certificate), even when it does so after a big red flashing DONT-EVER-DO-THIS sign, where the user has to enter a 12-digit prime number he has to calculate from a formular that is printed on page 123 of his handbook ... in reverse, using polish translation. Nothing of this would prevent the user from executing harmfull, unkown code.
Actually I just remembered a third method, or rather a combination of the first two: A bug in ther Certification-Check-System. IIRC Netscape had some in their 4.x-releases that allowed any valid Signature to verify the validity of any host and not just that of the host it was made for.
Re:Scripting Security (Score:2)
ITYM would have to break into the machine of _anyone_ who happens to have an already valid signing key (gosh - wonder how many people with one of them keep it on an unsecured Windows box on a broadband link. Only needs to be one).
After that it's a matter of distributing the virus before the owner of the key realises it's been 'borrowed'. That is soooooo unlikely, sure.
Linux (Score:1)
I don't feel bad (Score:1)
Maybe you should feel bad (Score:2)
Don't forget that Flash runs on Linux and Macs as well. With a little smarts, folks can write cross-platform viruses (if Flash can create a script file and arrange to have it executed by the user who is running the browser).
Anyone know whether the Linux Flash plugin is vulnerable to this attack?
Creation of Files? (Score:1)
Norton Users - Something to note (Score:2, Informative)
One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.
Java applet viruses? (Score:3, Interesting)
Re:Java applet viruses? (Score:4, Interesting)
It could happen if some company would give away the private keys for a trusted company and then use that key to sign a modified and dangerous version. (Say like a rooted version of Yahoo chat or something like that, that has to be trusted to run right.)
Re:Java applet viruses? (Score:2)
I don't think that this disqualifies it as a virus. The user may accept that the program may "access the local file system", but he certainly doesn't want it to trash his harddisk.
Additionally I'd keep in mind that "Users don't read documentation" which can be gerneralized to "Users don't read.", so Joe Average won't be interested what the message box says that stops him from playing with this cool "web thingy" (which in technical terms could be described as an Java Applet), he just wants to find out which button he must press for the warning dialog to go away.
Re:Java applet viruses? (Score:2)
Technically even the outlook 'worms' are not viruses as they require user to run the offending attachment in order to propagate.
Trojan horses they are but as it doesn't sound as exciting as virus so.. oh well.
Re:Java applet viruses? (Score:2)
Generally viruses would attach a short jump code in the beginning of the program and then insert rest of their code to the end. Once their own code was run they would jump back to the beginning of the program and you would run it as if nothing had happened.. This is fundamentally different from the current concept of outlook 'virus' that most definetly is just a trojan horse. It does not attach itself to an existing program(no, being an attachment in an email does not count) therefore it should not be called a virus. Some macro viruses, however, are entitled to the being called virus.
Then again, terms change in the course of time and to most people internet is just the web.. little do they know..
Re:Java applet viruses? (Score:2)
Maybe, since I'm not from the US I don't follow on this topic, ...
Well, there are two differences: Once shotting himself in the face and crashing his personal desktop are two different pairs of shoes. Second: I don't think scripting languages should be outlawed, I just stated the dangers.
Definitely!
Re:Java applet viruses? (Score:2)
Joe User is a complete moron and shoots himself in the face while cleaning his gun therefore all guns are dangerous and should be outlawed.
Heay! Now THERE'S an interesting solution!
Just imagine how fast viral replication would drop to near zero if we just shot every idiot that transmitted one.
(If you get infected with a virus but manage not to spread it, we'll give you the benefit of the doubt and let you live - this time! Muahahahaha)
-
Java Trojan (Score:2)
This exploit code can infect your computer with harmful executables that are sent via email attachments.
public class ScaryTrojan {
public static void main(String[] args) {
try {
Runtime.getRuntime().exec("C:\\Program Files\\Microsoft Office\\Office\\OUTLOOK.EXE");
}
catch (Exception e) {;}
}
}
But that's not an applet (Score:2)
Infoworld (Score:1)
Re:Infoworld (Score:1)
RE: Infoworld update (Score:1)
Git 'em Flash.... (Score:1)
Timely...sort of (Score:2)
Rest of the information is timely, though.
Re:Timely...sort of (Score:2)
Many scanners don't scan .swf files (Score:5, Informative)
Many virus scanners don't scan .swf file by default, so you have update your virus signature file (which is automatic on most scanners) and reconfigure your scanner to scan .swf files (unless you already scan all files on your computer).
This means that if advanced .swf viruses are created, they could become a real problem
until system admins wakes up and gets a clue (and that takes a loooong time, look at Code Red)
Finally! (Score:3, Funny)
A native translation.. (Score:2, Informative)
and executes self-generated programs. The parasite, baptized "SWF/LFM-926", reaches computers as
SWF-file, and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation.
Sophos says that the virus wasn't yet spotted "in the wild" and therefore spreading. Nevertheless,
the manufacturer of Antivirus software warns about the potential danger which lurks in the
Flash format. The Sophos website provides detailed information [sophos.com] about the parasite.
MultiPlatform Viruses? Java good for this? (Score:2, Insightful)
Re:MultiPlatform Viruses? Java good for this? (Score:2, Informative)
In a webbrowser, it only has access to a few fuctions, which don't include access to the file system.
However, you could rap it up in a
mlk
everything can get viruses (Score:4, Insightful)
The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.
Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.
Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.
You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.
I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.
Re:everything can get viruses (Score:2)
I hope so. Otherwise, they'd be executing a single instruction pretty damn often :-). I hope you meant that there are too many ways for data coming into a program to inadvertantly take control of the IP.
Re:everything can get viruses (Score:2)
I might be totally wrong:) But it looks like what you're talking about are vulnerabilities that have to do with buffer-overruns; they work by moving the IP to a data-segment by modifying the stack. To solve that, wouldn't it be enough to separate the data from the code (this is normal under Linux, I believe (?)) and not allow the IP to jump to the data(and stack)-segment AND not allow the code to modify itself. That would solve this problem, wouldn't it?
Virusses don't have much to do with this; they are about modifying executables which has nothing to do with the IP, but can indeed be solved partially by file-system improvements. Partially... users that get infected by virusses usually are users that have permission to install executables that are in the default path (most users on properly designed systems don't run any executables of their own). That's enough for a virus to infect the system. And nothing can be done about it without restricting the users' ability to install new software. And that's - at least partially - solved pretty well under Unix since nearly all executables are owned by the root user. And if a virus gets in via the root-account then that's usually plain stupidness of root:]
Please correct me when I'm wrong:)
Re:everything can get viruses (Score:3, Informative)
Let's say we're using your theoretical virus-proof OS. Well, I still want to be able to open a shell window and run my programs that do things. Sometimes I'm going to want to delete files or overwrite older versions of files with newer ones.
If the OS is designed to never let the user overwrite any data, that's not going to be a very useful OS! Basically, anything a user can do via stupidity (or obscure necessity) can be replicated with a virus. Remember, a virus is just a program that does nasty things instead of word processing -- there's no way for a nonsentient OS to tell, definitively, whether a program is supposed to be deleting files or not! Even if it prompts you for confirmation that you want to delete a given file, there's no way for the computer to be sure that it's really a sentient user hitting enter, and a virus simulating an "Enter" hit from the keyboard. (Well, there are specific ways around specific attacks, but I'm talking generally. OSes cannot pass the Turing test yet!)
Re:everything can get viruses (Score:2)
For example, "rm" would need the ability to delete files that it had not created. But it wouldn't need the ability to read or write files it hadn't created. Bash would need the ability to execute other programs. But it wouldn't need the ability to delete files.
I'm not sure how many spanners scripts throw into the works-- in theory, rm just becomes a replacement for your unlink() call, and any program(script) can delete any file. This is because your shell has and requires the ability to run any executable on the system. (Something which, again, rm doesn't need.) A mechanism is required that prevents bash's (or rm's) permissions from exceeding the bash script itself.
Okay-- what if permissions are subtractive? rm can't read other-app files, so neither can any program rm runs. Bash does have the right to delete any file, and so does rm, so if you run rm through Bash, you delete the file. However, cp does not have the right to delete any file, so even if you run cp through Bash, it can't delete a file it did not create.
And when a file contains #!/bin/bash, any permissions the script does not have, are subtracted from the permissions of bash when it runs.
You know, this actually sounds feasible. . .
Third lesson we learned in CS100 in college :-) (Score:3, Interesting)
And to make sure we got the point, they'd make us run our programs on their input decks, which often had maliciously designed explorations of the limits of programs - what if the input field is missing, or too short, or too short by 1, or precisely as long as the maximum, or maximum+1, or way too long, or not a number, or a negative number, or had spaces in it, or had magic-looking values like 999 or 32767, or duplicated things that were supposed to be unique, or used values that weren't on the list of the-only-values-the-user-can-input. This was on Evil Mainframes with EBCDIC, so there are some modern forms of Bad Input that didn't exist (like backspaces or carriage returns in alphabetic fields ) but there were other evil things that could be done, like bogus punchcards, or characters that weren't from the 48-character character set the old printer supported or the 64-character set that the new one supported, or had data that ran into columns 73-80 which are only for sequence numbers. One of many annoying things about punchcard-oriented systems was that the edit-compile-run cycle was very slow, but it forced you to think very carefully about what you were doing. On the other hand, there are kinds of Bad Input that come from lots of experiments of throwing Nasty Looking Stuff into a program to see what it does that you wouldn't bother with on a punchcard system.
Re:everything can get viruses (Score:2)
Existing hardware has enough protection to allow running hostile executable code, if the OS won't let it do anything harmful. Hostile code running in a FreeBSD "jail", for example, can't do much. And there are secure Linux variants which run untrusted content with limited privileges, so that it can't do much. You don't need an interpreter to provide protection. (In fact, Java hasn't turned out to provide as much protection as originally claimed.)
What we need are some apps, like browsers, media players, and web servers, which can operate under very limited privileges. Then they can be run on secure variants of Linux. That will provide some examples of secure systems (and something Microsoft doesn't have.) Get busy, people.
The sad thing is that if an operating system today was secure enough to lock remote content in a jail, all that stuff content owners want would stop working. Like preventing anything else from running while their content is decrypted, or sending information to their web site.
Re:everything can get viruses (Score:2)
Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.
A few reasons:
- An increasing number of complex applications have powerful scripting languages that are relatively easy to develop malicious code for
- Most operating systems give user-run applications way too much power on the system. Windows is one of the worst offenders here, but many Unix/Linux/*BSD installations have their problems along these lines as well.
The reason for both the above is simple. Users want to be able to do nifty things with their machines, and they don't think about whether or not other people can do nifty things to their machines until it's too late.Good security takes a lot of work and planning, even given an OS that offers good security features. Most people (including most software companies) don't care to go through this work. Hence we have security holes, viruses, trojans, worms and so on.
Infoworld Article Not related (Score:2)
That infoworld article has nothing to do with this virus. It's also 13 months old.
You guys really need to give a little more effort here sometimes. You are brash, act without any confirmation and show yourselves as totaly incompetent. Can you get me a job there?
This is a really great example... (Score:2, Offtopic)
Specifically: Why the frell do we even NEED Flash or its brethren in any case? It seems to exist solely to make pretty pictures, and spew forth alleged "music" or other SFX, and waste a lot of bandwidth in the process.
Remember: If you cannot manage your native language well enough to get a CLEAR message across to your site's visitors in plain ASCII text, then NO amount of flashing fonts, pretty colors, bandwidth-hungry animations, or silly sound effects is going to help you in the least.
Don't even get me started about how precious few web sites are even usable by those who are vision-impaired, and need to use a text-to-speech converter on their computer. How many sites are in blatant violation of ADA accessibility guidelines even as I write this?
Web designers, take note: Sites today have entirely too much fluff, and far too little in terms of USEFUL and EASILY READABLE content. Remember that "simple" is NOT a bad thing. This latest virus serves only to emphasize that point.
Re:This is a really great example... (Score:2, Informative)
Of course I have never seen them used that way.
Re:This is a really great example... (Score:2)
I think you're seeing a problem, but you're not diagnosing it properly. The problem is not the fanciness or expressivity of flash. It is the fact that flash is a programmtic language, not declarative. From a security perspective, if you're handed declaritive information, it's fairly easy to ensure that the programmtic code you have running over the declarative code isn't going to go haywire, since it is 'closed'. However, on the other hand, if you're simply handed programmtic code, you cannot tell what the program is going to do with certainty, given the tremendous amount of states it can enter.
This debate is currently being played out in the XSLT community. Some people want scripting information in XSLT, but that's a dangerous road to go down. XSLT appeals to me because it is powerful, yet fully declarative.
If I had taken the Language Theory instead of Advanced Algorithms (or whatever they were called) in college I could probably express myself better here (FSM's and similar).
Re:This is a really great example... (Score:2)
Re:This is a really great example... (Score:2)
Infoworld is reporting on a *different virus* (Score:5, Informative)
Virus 1 (Conrad's submission) - SWF/LFM.926
The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo) [yahoo.com]
Virus 2 (bdavenport's infoworld submission) - Creative.exe
The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon. (Infoworld) [infoworld.com]
From Symantec: [symantec.com]
Discovered on: November 30, 2000
Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.
W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all
change atleast now to LINUX
Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.
Re:Infoworld is reporting on a *different virus* (Score:2)
Should I just go ahead and semi-permanently chmod 000 my libflashplayer.so? (The only thing I use it for on a regular basis are those lovely little Seattle Labs blurbs that get posted on User Friendly [userfriendly.org] (which, ironically, are ads for WinDoze security products)....
Re:Infoworld is reporting on a *different virus* (Score:2)
Virus Names (Score:3, Interesting)
This can't happen via HTTP (Score:3, Informative)
Formats like Flash, Director, or Toolbook are fairly safe when run in a browser, but when run locally, most gain much more functionality, including the ability to execute arbitrary commands. Many people have the Flash Player plugin, but no standalone executable to open the files locallly is supplied. 99% of all people that do have the standalone player are getting it from an installation of Macromedia Flash (the creation/editing application), and anyone else with a player isn't likely to have one that implements FSCommand calls, of which one of the functions is the ability to execute commands.
Re:This can't happen via HTTP (Score:2)
This isn't even a virus. (Score:2)
This is no more a "virus" than rm -rf is a trojan.
the flash!? NOOOO! (Score:2)
Not a real WEB virus. (Score:3, Informative)
that's an old Infoworld story - different worm! (Score:2, Informative)
Stand down, nothing to see here, move along...
No vulnerability in Flash itself (Score:5, Informative)
This virus really has more to do with running an unknown executable than it does exploiting some kind of vulnerability in Flash. This is because any stand-alone Flash player file is an
What cracks me up personally is that the very possibility of a Flash virus has been discussed before on Flash community developer message boards. When the "exec" command for the stand-alone player was still undocumented and somebody posted about it (having "discovered" it somehow) there was quite a discussion about the new functionality uses. But, there was also some speculation on how it could be used for malicious purposes. This was around a year ago, IIRC.
Uninformed and misleading post (Score:2, Informative)
Virus flash emulator. (Score:2)
This will give you some idea about how the real virus looks like. Click Here [zukunftsformen.de]
.exe or .swf (Score:2)
So if I understand this correctly, if you don't use .exe attachments and don't have the standalone player, then you should be save?
A while ago I wrote a filter, which takes a flash exe, and strips out the flash player, leaving you with the .swf part. I did that, so that I could view those movies on Linux, but it should work for Windows systems, too. Usually there is no reason to include the flash player anyway - most people have the flash plugin already, and don't need yet another copy of the flash player.
Apologies for the really bad code (I don't actually know C), and the horrible formatting (the latter I blame on the slashdot lameness filter, though). You'll have to use "View Source" to look at it. :)
Re:.exe or .swf (Score:2)
Re:Someone send me the source! (Score:2)
Re:Someone send me the source! (Score:2)
Someone please tell me what is wrong with the uber-parent post?
Slowly I lose my karma.