On Wed, Aug 5, 2009 at 11:52 PM, yoav zilberberg <[email protected]>wrote:
> Jeremy, i can't see how it will make things any worse to punch these holes > I never said it's worse...just that you couldn't make it airtight. Patches welcome. :-) > you still fork flash in its own process like you do now > only you sandbox it.... how is it any worse ? > > this is just an observation that if i would write malware (which of course, > i would never) > i would just use flash plugins exploits to be cross browser compatible > and this renders the sandbox nearly useless for future attacks > > what "decent" malware writer would bother with webkit explits ? none! > > besides, if you look at the help forum of chrome, you will see some people > are starting to catch malware like this > which is btw, how i got this evil site's URL.... i would never click on my > own such a foul looking site > > as for the auto updating issue, i suggested a solution in one of my prev > posts > and i am sure you can have a word with adobe for this > > in a sense chrome makes it easier to infect itself(!) as you run plugins in > the medium integrity level (Vista and above) > and you normally install chrome in the local user account, so no UAC prompt > will help the user > if some delicate file or DLL is written to chrome folder, and then it will > do something never intended > > also, one more note, flash is special enough that if you would "hard code" > the solution to it, you would anyays > solve most infections problems in the world, and maybe even cancer... who > knows ? > > and regarding what CPU said (and ignoring the auto-update) it seems that > flash does work flawlessly > using your '--safe-plugins' switch, and doing this on that site does stop > the attack > (tbh, maybe the attack was stopped because the sun's java died in the > sandbox, but Ian said it was a flash based > attack) > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
