Adobe Flash Zero-Day Attack Underway

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

And people

[Anonymous Coward]

And people wonder why I use noscript and flashblock. When untrusted adds in flash are being served on big "trusted" websites people are eventually going to get bit.

Re:And people

[mrbluze]

And people wonder why I use noscript and flashblock

I imagine those using the malware are not hoping that sensible people such as yourself get infected at all, but the PC's belonging to the members of the unwashed e-masses who wouldn't have the foggiest what anyone's talking about. Their computers are much better because the life of your exploit is likely to be long and chances of anyone chasing and finding you are slim.

Re:And people

[Daengbo]

That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.

Re:

[NoobixCube]

Last time I used it, about two months ago, it didn't show a Youtube video properly. Since that's pretty important to a lot of Flash users, I wouldn't say it's ready yet.

Re:And people

[Anonymous Coward]

It plays them now

Re:

[Anonymous Coward]

i find swfdec [freedesktop.org] to be better with youtube atm

Re:And people

[pizzach]

Even if the current version in your distribution's repositories is not able to play YouTube videos, the cvs version at least can. I remember reading somewhere that getting and keeping YouTube movies playable was a top priority.

Re:

[SanityInAnarchy]

Offtopic, but it looks like Savannah gives them a choice of CVS or Git. And they chose CVS??

Re:And people

[CaptnMArk]

My guess, CVS was available sooner.

Also, for a developer who only does update/work/diff/commit, CVS (and SVN) is easier
to use than git.

Re:

[SanityInAnarchy]

SVN might be easier. I'm not sure CVS is, especially the second you have to do anything more than those four operations.

Re:

[Anonymous Coward]

$git init
$git commit -a -m "That was easy."

Re:

[pizzach]

I just installed the newest CVS 20 minutes ago. YouTube definitely still plays. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things. Afterwards its fine though.

Re:And people

[aliquis]

If only that video-in-webpages-standard was implemented (is in Safari now) and used it would be so sweet to just remove that flashcrap alltogether. Too bad on webpages made only in flash but well, those suck anyway =P

Re:

[David Gerard]

It doesn't play Weebl and Bob [weebls-stuff.com] videos properly yet, so I can't put it into place until it does or my kid's too old for Weebl and Bob (probably around sixty).

Re:

[Culture20]

It doesn't even do that. With gnash, I can't visit slashdot without routinely typing "killall gtk-gnash" into a root terminal. gnash isn't ready for any level of usage.

Re:And people

[Opportunist]

That's pretty much it.

It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.

And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).

And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.

Re:And people

[NoobixCube]

An example of the knowledge of the masses: When I commented to my mother that I spent the day watching flash cartoons, she thought I meant animated porn.

Re:And people

[Spad]

Lucky guess?

Re:And people

[NoobixCube]

That's completely beside the point :P

Re:

[Opportunist]

Umm... there are other cartoons on the net?

Re:And people

[Rojo^]

Now that you mention it, Strongbad is topless far too often....

Kids these days...

[Digestromath]

Back in my day the only way to animate porn was flip the pages real fast. When technology does all the hard work for you, you lose any sense of personal accomplishment.

Re:

[Anonymous Coward]

And these people are a problem.

Only in the sense that people who get the flu are a problem. The real troublemaker here is a tiny program called Flash which needs updates every few weeks to fix yet another vulnerability. The quality of that program is atrocious, especially considering its market penetration and the size of the company which spawned it. Pointing fingers at people who do not make system maintenance their mission does exactly nothing to solve the problem. The only people who can solve it are the people who write bad softwar

Re:And people

[Opportunist]

That's because software, like all products, follow the unholy trinity of speed, quality and price. You can get two optimized, but never all three.

If it's good and cheap, it takes forever to do it.
If it's good and quickly done, it won't be cheap.
If it's cheap and quickly patched together, it will be anything but good.

Now, look at the market of today and tell me which strategy allows you to sell your product.

It's not just software, this system works in every area. And the only thing that keeps it in check, unfortunately, is safety regulations and liability. Else we'd have gas lines that blow up every now or then and cars that make it a matter of luck whether they break when you hit the metal.

The current hype is price. How many products do you know that sell through quality? The selling point is how CHEAP it is and how much you SAVE when you buy it.

The same works for software. Yes, you could create a rock solid, absolutely stable system. Software follows the same rules as above. It can be cheap and solid, but it will take ... 17 years I think so far to make it. For reference, see Linux.

But I can't find an example for solid and quick. I guess the company that tried it went bankrupt before they were done...

Re:And people

[Anonymous Coward]

Protip: Noscript will not save you.

I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.

I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.

I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)

What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.

"I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.

Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.

NoScript won't protect me against any sites that I visit often, really.

Re:

[Anonymous Coward]

That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.

Flash dependent sites

[Mathinker]

> That's what temporary permissions are for.

Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".

Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)

I never enable JS or Flash in order to see sites which I get to through advertisements, however.

NoScript WILL Save You (most of the time)

[Giorgio Maone]

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases [hackademix.net], the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects [hackademix.net], with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

Re:

[Junior J. Junior III]

This is why I've long thought that the NoScript plug-in's method of whitelisting is fundamentally broken. Rather than whitelisting by domain, giving blanket trust to an entire domain, what should be done is give trust on a per-script basis, with a hash of the scripts that you've whitelisted stored as part of your mozilla user profile, and only those scripts which match the hashes of scripts that you've permanently whitelisted allowed to run without your explicit approval.

This should be a lot safer than app

Re:

[aliquis]

Your analogy fails. With or without condom I'm still well protected, and I don't have to use it.

If your analogy was correct NoScript would be something I have/use even thought I'd never stumble upon any scripts.

Re:

[zwei2stein]

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I have seen it quite few times, someone had problem with noisy ads, someone else suggests adblock, site admin appears, has long sad speech how adblockers are worst thing ever and bans person suggesting use of adblock and tells person which has problem with ads to deal with it or move on.

There is some pressure NOT to use such tools. And nice people do listen.

Re:And people

[Opportunist]

Well, ads are a necessity for many pages. Someone has to pay for it. So of course they don't enjoy adblockers.

On the other hand, invasive and outright obnoxious ads tend to kill the experience, so people start looking for ways to get rid of them.

As usual, the best way is something both sides can "live" with. Take /. Yes, the page has ads. Yes, I see them (sometimes I even click on some). They don't bother me. They are topical. Often even interesting. So I don't block them. And I'm fairly sure nobody here took /. as the reason to start hunting for an adblocker.

It's pages that run full page in-your-face ads that make their users turn to adblockers. And those ads will be blocked. Some pages turned to tools that ensured that, if you block their ads, you don't get to see their content. Which in turn often backfired and kept people who didn't block the ads but just happened to have some sort of freaky setup to be locked out as well.

Hmm... honestly, I didn't want to turn this into a tirade about DRM.

Re:

[Anonymous Coward]

and tells person which has problem with ads to deal with it or move on.

To which the correct response is "screw you, your crappy ad-riddled forum and the horse you rode in on".

These asshats just don't get it. If I have configured MY browser not to obey every link on your shitty page, that is none of your business.

Re:

[SanityInAnarchy]

And that is what text ads are for.

If a site is going to insist on me watching Flash ads, I'm not going to use that site. End of story.

Re:And people

[TheGratefulNet]

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I'm quite active in a lot of forums and while some webmeisters might bitch about it, they have every right to write piss poor web code (including intrusive banners) and I have every right NOT to see such crap when I browse.

do you believe it when TV shows make you feel like you are 'stealing' if you don't watch the ads between the show segments?

how is blocking ads any diff?

why would you just 'give in' to some stupid webmaster? he has his views but its not the full story. and if he goes away due to 'lack of profit motive' another (maybe better) will come along. dime a dozen.

I don't 'protect' webmasters. they are not any better than users and don't deserve any more consideration than they give users (which tends to be on the low end of the respect stick).

Re:And people

[obi]

It's not as if there never have been any exploits for the JPG or PNG decoders in common browsers. Will you now browse the web with images blocked too?

Re:

[fishdan]

The difference of course is that the image file itself is benign -- the decoders were flawed. Whereas the Flash decoder is adware BY DESIGN.

The creators of Flash, Adobe/Macromedia, deliberately resist allowing user control of Flash. Why must I go to a 3rd party to selectively block Flash? Why can't I control Flash in my browser to a very simple extent such as "Flash cannot play sound without asking permission." Why does Adobe make Flash an "all or nothing" experience? The answer was given to me str

Re:

[obi]

Well, what are we talking about here - about security issues, or about its use for advertisement?

If you're talking about 0-day exploits, my point still stands: any decoder can potentially have exploits, and the only solution is to either keep your software (whether it's an image library or a flash plugin) up to date, or to simply stop using it (browse with no images, no flash).

If you're problem with Flash is that it's a pain for users, you can argue the same way about a lot of other things. For instance, I

Re:

[Yvan256]

And this is why I disable Java and plug-ins. If a website can't be used without Flash* and Java, it means it's coded like crap. And if the code is crap, the content is probably crap too.

* except video-based websites like YouTube, though I'm hoping they'll offer an "HTML5 Media"-based version soon enough for non-defective browsers.

Re:

[lgw]

The sure way to block flash: just uninstall it! http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157 [adobe.com]

Do I need flash for anything but watching Youtube these days? C'mon Google, you guys are supposed to be the masters of all web technology, won't you please change Youtube to use some more secure technology so I can abandon Flash entirely?

Re:

[grm_wnr]

There is no alternative to Flash. Flash would likely be marginalized by now if FLV hadn't come along; it saved Flash's ass and, to Adobe's credit, made ubiquitous video on the web a reality. Seriously, remember the olden days? Quicktime and WMV, of which the former works fine on Mac OS but is an abomination of a plugin on Windows (easily worse than Flash), and the latter being what you went with if you wanted shit to work for at least the majority of people, even though it was horrible and, philosophically

Re:

[edmicman]

Like Quicktime! Or Windows Media!

NoScript can block Flash even if JS is enabled

[Giorgio Maone]

Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock [noscript.net], and it works on plugins different from Flash as well.

Re:

[Monx]

NoScript lets you do that. Just tell it to block embeds from all sites (including trusted ones). Then you can enable JavaScript and Flash individually as needed. There's no need for flashblock if you have NoScript properly configured.

SNAFU

[Anonymous Coward]

Situation Normal, All Flashed Up

Re:

[bill_kress]

I would have said: Situation Normal, Adobe's Fucked Up

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

At one point, they had some competition from some other terribly flashy web software, but they quickly rectified that by buying the company so they could retain their title of Extreme Web Fuckups and earn the SNAFU title.

(Second use of the F was quite gratui

Re:

[jimmypw]

How exactly is it the worst company ever to supply software for the web. I fail to see where your coming from. Dont forget that until a while ago they didnt own macromedia and their neiche was high quality still and moving images which back in the day of windows 3.0 wasn't anywhere near web software.

Your arguement is essentially flawed as this exploit has probably been in flash player since macromedia owned it and yet your blame gets directed at adobe.

Re:

[0xygen]

Must say though, if I were Adobe, staking my reputation on the reliability of some of the highest exposure software on the web, one of the first tasks after the acquisition would have been a thorough review of the Flash client codebase.

Not that this vulnerability would necessarily have been picked up...

Re:SNAFU

[Divebus]

How exactly is it the worst company ever to supply software for the web.

Here's my short list:

1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.

Re:SNAFU

[gaspyy]

Intentionally or not - you're trolling.

1. Adobe Reader 8 launches almost instantly for me after the first run, when it optimizes its launch (and I always disable the startup option). Version 6 was awful but things have changed. I do agree that it's bloated (over 200Mb) but I had problems displaying complex/cmyk docs in Foxit. YMMV.

2. Flash - use AdBlock. The technology is not at fault as flash is pretty lightweight itself. It's the advertisers who think I'll click their stupid ads if they add annoying sounds and the webmasters who think that by cramming more ads there's a better chance of me clicking on one.

3. The update agent is slow 'cause it downloads only when the connection is idle. I do agree that it's annoying for it to ask to close almost all programs when updating.

5. You do realize that camera and mic are turned off by default, don't you? You need to expressly enable them on a site-by-site basis.

So there you have it.

That's not to say that I don't hate Adobe myself for other things:
- activation is a pain in the ass, especially if you don't get the chance to deactivate the software first from the old computer and activate on the new one (happened to me after a hdd crash).
- the software is artificially segmented in some cases, e.g. Premiere and After Effects should be one software, or Illustrator and Indesign (CorelDraw acts as a combination between the two).

Re:

[halcyon1234]

Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

Neither do I, but I have to wonder. Has anyone ever tried leaving these settings ON be default, just to see if anyone, anywhere even attempts to exploit them?

I know the dataset is kinda skewed-- no one tries because everyone already has blocked them-- but I'd be curious how many Flash games / ads / crap / etc has code to try to use the mic & cam JUST IN CASE

Re:

[STrinity]

Don't forget that certain Adobe programs, including Photoshop and Premiere, place DRM in the master boot record [adobe.com], which makes it impossible to run TrueCrypt boot-time encryption and have the Adobe programs work.

Re:

[1u3hr]

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

Sorry, I find this absurd. I've been using ATM ever since Win 3.0 too. Never had any issues with it. T1 fonts are essential (to DTP anyway). I use Acrobat every day (though I stick with Acrobat 4 mostly, it has all I need). There are many, many more obnoxious web software products -- who can forget RealPlayer

Re:

[1u3hr]

Real Player never crashed my machine (That I remember, at least I can say it never became enough of a pattern for me to recognize it as one). Adobe Reader used to almost every time I hit a PDF file--if it was a large file over dialup--guaranteed

Real didn't crash, but it was unpleasant in many other ways. As for reading PDFs online; if it's a short document I might view it in the browser, but I almost always r-click to download and view it once it's all there, rather than try to view inline. You have to

tell that to Youtube ..

[rs232]

"Adobe has to be the worst company ever to supply popular software for the web"

I do believe it's the flakey OS that is at fault here ..

Flash perpetual vulnerability

[amrik98]

This isn't the first or the last time Flash will have vulnerabilities discovered, and I understand this can happen with any software. It is just the frequency and consistency of these vulnerabilities that concerns me. When I install a binary blob from Adobe its always in the back of my mind that I could be opening up my system to attack.

what about the designers of the OS ?

[rs232]

"This isn't the first or the last time Flash will have vulnerabilities discovered"

Do the designers of the OS bare any responcibility? What kind of a design allows remote code execution [securityfocus.com] on a malformed media file? And this one happened by accident, does that mean that there are dozens of exploits out there waiting to be utilized by the criminal fraternity.

Re:

[BollocksToThis]

I personally require none of that dada.

Slow down on the keyboard there, Oedipus.

Re:

[account_deleted]

Comment removed based on user account deletion

Another reason I despise swf on webpages

[rts008]

I always use noscrpt and flashblock extensions in firefox on Linux, so I'm not too concerned about this.

Re:

[Vectronic]

Buying a new car envolves money though...reformatting on the off chance something does happen (or about every 6 months regardless), doesnt.

And I never said i was completely careless, everything is pretty much locked down, and I monitor my traffic from time to time just to see if anything odd is going on... plus other than telling people I meet online my real first name, I dont do any online banking, buying, or other transactions that could be "dangerous". And scan everything I download that isnt from a reli

Re:

[Vectronic]

Oh, and to continue babeling...

I also always at least dual boot, all my machines, with XP or Vista, and then either Slackware or (pick random Linux)

The one im typing from at the moment has all four... XP/Vista/Slackware and Mandriva currently... so the odds of it hitting all 4 are slim, and the odds of none of the 4 seeing something odd are just as slim.

Re:

[Vectronic]

"When do you have time to do real work / play with them?"

Well, thats fairly easy, I boot into whichever OS is appropriate for the job, I split my windows installations, one for programming related things, one for graphical related things, and likewise for linux...

If it was my only machine, it would be over-kill and almost a job unto itself, but thanx to automation, and networking, I can leave one PC to do something it needs to do, and switch over to another PC thats free.

"...scanners are going to pick up ev

Welcome to the proprietary internet.

[NotZed]

A taste of what it could've been and what it might yet become?

Oh... dear... God

[religious freak]

What kind of horrible, horrible update scheme will Adobe come up with to try to combat this?! The thoughts are too terrible to imagine...

Re:

[WK2]

That wouldn't even work. Flash runs as a regular user, but needs administrator access to update its own code.

Re:

[SanityInAnarchy]

Actually, they already include a Webkit engine in Air, which is their Flash-based desktop app platform. It's not hard to imagine them porting that to Flash.

As distasteful as that seems, it would have one nice side effect -- there are a few places where Flash is pretty much the only option. MySpace, for example, allows Flash widgets, but not iframe widgets, because Flash widgets are more secure. With Webkit inside Flash, we'd be able to build a normal AJAX/iframe widget, and just wrap it in Flash for retarde

Proverb

[Rastignac]

In France, a popular IT proverb says "Adobe, c'est de la daube". True one more time today...
(won't translate; lost in translation).

Re:

[Zironic]

Adobe, it's a mess?

Re:

[lgw]

You can't translate the pun (thankfully), but the closest idiomatic thing might be "Adobe, it's name is mud".

Re:

[OneSmartFellow]

Adobe, it's shit

Re:

[sayfawa]

I'm guessing the pun is from the fact that the word 'adobe' means some kind of mud-based brick or structure? If so, then the translated pun is just as good (or bad), as adobe means the same thing in english [merriam-webster.com].

Re:

[Jesus_666]

Compare "Adobe" and "la daube". Very similar.

Re:

[Gandalf]

And here in Holland the proverb goes "Rather than Adobe, a doobie". (True every day...)

Hey Adobe: Try Using Stack Canaries!

[MichaelCrawford]

No doubt someone from Adobe will be reading this Slashdot story.

A Stack Canary [wikipedia.org] is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.

So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.

To enable canaries:

• Visual Studio for Windows: Use the /GS option [wikipedia.org]
• GCC for Mac OS X: use -fstack-protector [apple.com] in your "Other C Flags" option in XCode

The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.

I'll send you my bill in the mail.

Re:

[LaskoVortex]

No doubt someone from Adobe will be reading this Slashdot story.

If the guys who wrote the software that shows up on stories like this actually read slashdot, we probably would stop getting stories like this. I mean, when was the last time Ad0b3Hax0r /. id #113434124 said "Sorry guys, that bug was me. I'll try to do better next time. Thanks for the heads-up."

x86 processor + Windows + Internet Explorer = ..

[rs232]

"Hey Adobe: Try Using Stack Canaries! (Score:5, Informative)"

How about building a stack that isn't vulnerable to stack exploits [securityfocus.com]. And no - don't say it isn't possible. It just means the current batch of 'innovators' aren't able to manage it. So to summerise: x86 processor + Windows + Internet Explorer = the current fucked up security situation ..

Windows ecosystem ?

[rs232]

"This threat should be considered very serious because of the widespread distribution that Adobe Flash enjoys on the Windows ecosystem [zdnet.com]"

Shouldn't that be monoculture .. :)

No worries

[__aavonx8281]

I'll just install the open source alternative to Flash on my Windows desktop...

Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!

Flash

[roman_mir]

Last Friday at work I was approached by a PM who was panicking: we lost the people who were working on Flash components for the corporate website. Someone was supposed to be flown from India to work on the component, but they couldn't make it for personal reasons. So the question was: can this be done in dynamic html? Well, of-course it can be done in dhtml, I said. It can look exactly like flash and do exactly what flash is doing. Some of the devs who were also working on Flash components, but who couldn't handle the Flash problem in this case, were insisting that it is in fact 'impossible' to do this, to make a dhtml component that would look and do exactly the same thing as Flash, and dhtml will not work in all browsers etc. 3 days later they were proven wrong.

In any case, my point is that Flash is an overkill for most GUIs on the web, it's good for video streaming, but even for that it is not absolutely necessary. However for whatever reason various dynamic functionality is often required by the business to be done within the browser. Something that cannot be done without some sort of scripting - sliding tabs, smooth transformations between images/text whatever. Such functionality is what browser side scripting is for. In order to be able to use this functionality at least javascript will have to be allowed. Whether anyone really wants to go to the website is a different question, but some websites provide useful functionality that is welcomed by the customers.

Why people use flash...

[argent]

Flash is an overkill for most GUIs on the web

Underline that, set it in boldface, carve it in granite, mod parent up, the works...

I really think the main reason people use flash is because it moderately increases the difficulty of reverse-engineering an interface. Chopping up a .swf package can be done, even without a few hundred bucks worth of Adobe software, but it's more work than running "curl -o filename url" a few times. It's obfuscation, pure and simple.

Updated info re this sploit...

[Fallen Andy]

ShadowServer [shadowserver.org] has updated information on this here [shadowserver.org].

See also Symantec Threatcon here [symantec.com]

So it looks as if you have the latest flash plugin (9.0.124) you may be ok.

Andy

My Stewped Bank' "Website"

[BattyMan]

Insists on having access to a Flash player, or it won't let me in.
"For 'Security' Reasons".
Now I have even more ammunition with which to criticize their "security". (this began when they recommended Internet Exploiter(tm)(r)(c) and the prevailing commercial "Operating System"s, and locked out me, with my Debian and IceWeasel: "IceWeasel? That's _not_ an approved browser!"

Hey, I know. I need a new bank. Does anybody know of one that's clueful enough to _not_ recommend IE?

Re:

[linal]

SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB

Re:Hmm Windows only... and SQL injection?

[Hal_Porter]

It's Windows only because Microsoft wrote it to promote their Silverlight initiative. Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there.

Re:

[Anonymous Coward]

Silverlight does run [apple.com] on Mac OS X.

no point porting the exploit ?

[rs232]

"Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there"

I thought it was a Flash vuln and don't you mean it doesn't work on Linux. As the exploit does uses generic browser redirection scripts and SQL-injection.

"Malware hunters have spotted a previously unknown - and unpatched - Adobe Flash vulnerability"

Why is SQL injection even still a problem?

[MichaelCrawford]

And I'm not saying the web application developers need to prevent it: it needs to be fixed in the database and its communication protocols. I think it's quite an outrageously bad architecture that has payload and control data together on the same channel.

After all, it's my God-Given Right to name my son Robert'; DROP TABLE STUDENTS [xkcd.com]. I shouldn't be getting nasty phone calls from every school he's ever attended!

Re:

[SanityInAnarchy]

I think it's quite an outrageously bad architecture that has payload and control data together on the same channel.

I think it's actually nicely flexible, sometimes. I like that I can type SQL commands at a MySQL console.

I agree in principle, but this is a solved problem. Most database APIs allow prepared statements. Platforms like Rails abstract away most of the need to write any SQL yourself -- AND it fakes prepared statements.

The only reason we still have SQL injection is, we still have armies of morons writing crappy PHP and VB pages. Not that it's impossible to write good PHP, but it sure as hell doesn't encourage

Re:

[Tim C]

And I'm not saying the web application developers need to prevent it

Well, I am. There is simply no excuse for anyone to be writing web apps that are vulnerable to SQL injection attacks. The attack vector should be known to anyone with even a passing interest in programming for the web, and there are standard library calls for all the languages I've used that take care of it for you.

Besides which, this is really just a special case of the old maxim: never trust your input data. Anyone writing code that is vu

Re:

[SanityInAnarchy]

Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data.

...what?

Sorry, I haven't looked at the structure of an actual TCP packet in a long time, but I have no idea what you're talking about.

What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data.

Great, so now we can have exploits based on manipulating the data instead.

There are incredibly simple solutions here, already implemented. There's prepared statements, which I think may work at the SQL level, not sure. Then there are higher-level APIs, like ORMs -- the better ones make it easier to be secure.

Making yourself vulnerable to a SQL injection is every bit as stup

Re:

[Tim C]

Sorry, I haven't looked at the structure of an actual TCP packet in a long time, but I have no idea what you're talking about.

He's being sarcastic.

Re:

[Opportunist]

Won't anyone here PLEASE think of the servers?

Re:This is NOT a 'zero day flaw'.....

[shird]

That is not the definition of zero day. If you are going to condemn people for using it incorrectly, at least use it correctly yourself. The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed. This day is important due to the fact it is basically impossible for people to be patched against the vulnerability on this day. In other words, tomorrow this will no longer be a 'zero day exploit'. (no doubt it was disclosed several days ago and isn't a zero day exploit today either).

Re:

[OneSmartFellow]

The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed

If that's your definition, ('zero day' == <time of publication>) then it still hasn't been used correctly, since the linked article is already a day old.

Given that the phrase 'zero day' is made of two single syllable words, I can understand the propensity for its use. However, it conveys no information, except to indicate that the author is a buzz-word junkie. Wh

Re:

[Daengbo]

If that's your definition, ('zero day' == ) then it still hasn't been used correctly, since the linked article is already a day old.
and
Given that the phrase 'zero day' is made of two single syllable words ...

OneSmartFellow isn't today.

Re:

[OneSmartFellow]

Given that the phrase 'zero day' is made of two single syllable words ... ,/em>

Good catch - very funny !
OK, zero is indeed two syllables.
Odd, make me wonder what else does zero have in common with the letter 'W' and the number '7' ?

Re:

[Gewalt]

No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.

Re:

[Gewalt]

ya, now you're just mumbling incoherent gibberish. So sad. Either accept that your perceived definition was wrong, or stop talking about how you don't like what it doesn't mean.

The phrase is not meaningless, there is no reason to stop using it.

That's sort of what the Welchia worm does

[MichaelCrawford]

When I was staying in a hotel in between moving out of one house and into another, I hooked my Win2k box directly to the Internet via dialup. At my old place I used Linux as an IP masquerading gateway, and never had any trouble.

Well it didn't take long for me to notice that my modem often showed activity even when I wasn't doing anything online. At the advice of a friend I bought the ZoneAlarm firewall.

It informed me that I was infected with the Welchia worm. What it does is apply security fixes to y