Jeremy, i can't see how it will make things any worse to punch these holes you still fork flash in its own process like you do now only you sandbox it.... how is it any worse ?
this is just an observation that if i would write malware (which of course, i would never) i would just use flash plugins exploits to be cross browser compatible and this renders the sandbox nearly useless for future attacks what "decent" malware writer would bother with webkit explits ? none! besides, if you look at the help forum of chrome, you will see some people are starting to catch malware like this which is btw, how i got this evil site's URL.... i would never click on my own such a foul looking site as for the auto updating issue, i suggested a solution in one of my prev posts and i am sure you can have a word with adobe for this in a sense chrome makes it easier to infect itself(!) as you run plugins in the medium integrity level (Vista and above) and you normally install chrome in the local user account, so no UAC prompt will help the user if some delicate file or DLL is written to chrome folder, and then it will do something never intended also, one more note, flash is special enough that if you would "hard code" the solution to it, you would anyays solve most infections problems in the world, and maybe even cancer... who knows ? and regarding what CPU said (and ignoring the auto-update) it seems that flash does work flawlessly using your '--safe-plugins' switch, and doing this on that site does stop the attack (tbh, maybe the attack was stopped because the sun's java died in the sandbox, but Ian said it was a flash based attack) --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
