Giorgio, could you comment on this? Does this article imply there's a known flash exploit that can compromise Firefox? I would think Secunia would list this as a vulnerability, but so far Secunia says there are no known unpatched Flash vulnerabilities.A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.
Expert says Adobe Flash policy is risky
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Expert says Adobe Flash policy is risky
Expert says Adobe Flash policy is risky | InSecurity Complex - CNET News
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Expert says Adobe Flash policy is risky
Yes.Alan Baxter wrote:Does this article imply there's a known flash exploit that can compromise Firefox?
It's basically a cross-site scripting attack using Flash on sites which allow uploading of generic files.
It's technically not an "unpatched vulnerability". It's the way Flash works, and there's no easy fix.I would think Secunia would list this as a vulnerability, but so far Secunia says there are no known unpatched Flash vulnerabilities.
Web sites could take countermeasures, but in some situations (e.g. social networks) they're hardly feasible.
So your best bet is using NoScript, better with "Apply these restrictions to trusted sites as well".
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Expert says Adobe Flash policy is risky
Thank you for the explanation. It sounded like a "a cross-site scripting attack using Flash" to me too; it helps for you to clarify it like that. I think I mispoke when I said "there's a known flash exploit". Neither the cnet site nor the blog it links report an existing exploit, only a vulnerability, but I'll continue to use "Apply these restrictions to trusted sites as well".
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Re: Expert says Adobe Flash policy is risky
foregroundsecurity.com: Flash Origin Policy Issues
Supposedly Silverlight is better (or can be better) in this regard.
(But then, who uses Silverlight?)
FYI on js control for new silverlight build
Don't you know Flash can do Javascript?
Supposedly Silverlight is better (or can be better) in this regard.
(But then, who uses Silverlight?)
FYI on js control for new silverlight build
Don't you know Flash can do Javascript?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091114 SeaMonkey/2.0.1pre
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Expert says Adobe Flash policy is risky
Adobe Flash attack vector exploits insecure web design • The Register
The threat is far from restricted to Adobe Flash and could involve other forms of active content, including JavaScript. The root cause of the problem arguably lies with insecure web design practices that are deeply ingrained on the internet.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5