I do have a background in computer security at corporate level. The risk to the end user is they have no control over the web site but they do have control over their machines and I think I'm right in saying if Flash is not installed on the machine then there is no security risk so I disagree with your statement "none are the Flash Player itself.". In technical terms not having Flash installed reduces the attack surface.
The question was asked merely to see if there were alternatives available for those who chose not to have Adobe Flash installed and I'm very glad to see there are and to me that is the end of the conversation. Many thanks for your input. Cheerio John 2009/11/19 Richard Fairhurst <[email protected]>: > John Whelan wrote: >> Is it possible? I note there is a major security problem with Adobe Flash. > > Er, no there isn't. > > Flash is far from perfect but this alleged 'exploit' is largely > hysteria. There are three causes and none of them are the Flash Player > itself: > > - Unconfigured webservers which don't send the correct > Content-Type/Content-Disposition headers; > - Browsers which don't parse Content-Type headers as they should; > - Sites that allow users to upload arbitrary executables, including > but not limited to Flash. > > Since OSM does not (to the best of my knowledge) allow such uploads, > the issue doesn't arise. > > I would recommend reading: > - > http://blogs.pcmag.com/securitywatch/2009/11/so-called_flash_vulnerability.php > - http://blogs.adobe.com/asset/2009/11/flash_content_and_the_same-ori.html > - > http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html (the > article itself is largely hyperbole, but the comments are quite > informative) > > One summary from the latter: > > "What this comes down to is that web site administrators (and > application engineers) need to make sure that untrusted SWF content > (e.g. message attachments) must not be served over HTTP - they need to > make sure that the server forces the browser to download the SWF to > their local filesystem. " > > Which is common sense. > > As others have pointed out, Flash has nothing to do with OSM rendering > anyway and if you still like tin hats, other editors are available. > > cheers > Richard > > > _______________________________________________ > newbies mailing list > [email protected] > http://lists.openstreetmap.org/listinfo/newbies > _______________________________________________ newbies mailing list [email protected] http://lists.openstreetmap.org/listinfo/newbies
