This email is to be read subject to the disclaimer below.
Scott,
I'm by no means an expert on security I just like to read about it (and
about programming), but here's my take on this:
Vulnerablities aren't usually obvious otherwise they would have usually
been fixed before the product is out. Think about the SQL injection attack
in CF. How obvious was that for you before someone explained how it's done
(when you first heard of it)? Mind you, there *are* some pretty obvious
screw-ups affecting major apps that get overlooked for a while (my all-time
favourite is the old IIS directory traversal vulnerability).
The problem facing Flash is that it's been re-purposed from an animation
tool to a full-featured application framework. When you re-purpose things,
old features can backfire badly (like the problem in Outlook where stuff
with application/x-wav mime type and .exe extension got automatically
executed). Also the developers who work on Flash would not be conditioned
to look for potential security issues yet since not so long ago Flash
wouldn't have been able to do many of the things that are potentially
dangerous. Add to this the fact that security isn't a 'feature' so it
receives little focus in the development stage -- and possibly not enough
focus in the QA stage either.
Also some of the problems the patch fixes are buffer overflows. Buffer
overflows involve user input containing machine instructions that is
allowed to enter the processor. This has exactly f*ck all relevance to what
the application should be doing. If you can trigger a buffer overflow then
you can do just about anything. Mind you, writing exploits for buffer
overflows is a non-trivial exercise (you'll need to know assembly to start
with). Problem is, once someone has done this it's a lot simpler for
someone else to write a worm that uses this exploit to spread.
Flash was put into the spotlight when security professionals realised that
it's a serious application that is widely adopted and as such, is a good
candidate for 'mischief'. Since Flash MX came out, quite a few buffer
overflows and other problems were found in it. There will be more until the
easily discovered ones are found and the developers learn from their
mistakes. As the player further matures and the developers become
security-conscious, holes will become rarer (but will never completely
disappear).
Still, the problem isn't as much that the holes exist but the fact that
they'll continue to linger on users' PCs until they all upgrade. This is
why awareness of security holes is a good thing. If you follow security
mailing lists, you'll know about these holes. Those who would exploit these
vulnerablities would *definitely* follow them. If you don't follow these
lists, then you would be most likely living in a false sense of security
thinking that the Flash is un-hackable. So it's important to get the word
out and get people to upgrade.
Cheers,
Vik
---------------------
Viktor Radnai
Web Developer, National E-Commerce, Ernst & Young
Direct: +61 2 9248 4361
PS: I hope I haven't written anything monumentally stupid that's
misleading for others and embarrassing for myself...
"Scott Barnes"
<[EMAIL PROTECTED]> To: "CFAussie Mailing
List" <[EMAIL PROTECTED]>
Sent by: cc:
[EMAIL PROTECTED] Subject: [cfaussie] Re: Multiple
vulnerablities in Flash player
mon.com.au
05/03/2003 04:22 AM
Please respond to "CFAussie
Mailing List"
hmmmm.. I thought it was his theory and i was like "no way sandbox is
fux0red, they said so.."
Still majorly sceptical as to how it can be done, the only thing i can
think
of (and i'm no hacker), is that they find some way to force FlashMX to
right
to a file / read a file... maybe hax0ring the clientside shared object, by
getting it to write somewhere else on the hdd?
Its a very slim chance imho..
Scott.
"Mark Stanton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
>
> Scott
>
> Viktor said:
> >The update fixes several buffer overflows and methods of bypassing the
> sandbox.
>
> The email from MM said:
> ....Recently, Macromedia became aware of potential security
> issues with Macromedia Flash Player. A new version of
> Macromedia Flash Player fixes these issues to protect
> our users from any content that attempts to execute
> this type of malicious code.
>
> The cumulative security patch is available today and
> addresses the potential for future exploits surrounding
> buffer overflows (read/write) and sandbox integrity within
> the player which might allow malicious users to gain access
> to a user�s computer...
>
> ...SEVERITIY RATING
>
> Macromedia categorizes this issue as a critical update and
> recommends users immediately update to the newest player...
>
> I think the problem lies with the sandbox - ie. it does not work.
>
> hth
>
> Cheers
>
> Mark
>
>
> ______________
> Mark Stanton
> Web Production
> Gruden Pty Ltd
> Tel: 9956 6388
> Mob: 0410 458 201
> Fax: 9956 8433
> www.gruden.com
>
>
>
>
---
You are currently subscribed to cfaussie as:
[EMAIL PROTECTED]
To unsubscribe send a blank email to
[EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/
--------------------
NOTICE - This communication contains information which is confidential and
the copyright of Ernst & Young or a third party.
If you are not the intended recipient of this communication please delete
and destroy all copies and telephone Ernst & Young on 1800 655 717
immediately. If you are the intended recipient of this communication you
should not copy, disclose or distribute this communication without the
authority of Ernst & Young.
Any views expressed in this Communication are those of the individual
sender, except where the sender specifically states them to be the views of
Ernst & Young.
Except as required at law, Ernst & Young does not represent, warrant and/or
guarantee that the integrity of this communication has been maintained nor
that the communication is free of errors, virus, interception or
interference.
Liability limited by the Accountants Scheme, approved under the
Professional Standards Act 1994 (NSW)
--------------------
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/
