Page 1 of 1
Expert says Adobe Flash policy is risky
Posted: Fri Nov 13, 2009 5:42 am
by Alan Baxter
Expert says Adobe Flash policy is risky | InSecurity Complex - CNET News
A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.
Giorgio, could you comment on this? Does this article imply there's a known flash exploit that can compromise Firefox? I would think Secunia would list this as a vulnerability, but so far Secunia says there are no known unpatched Flash vulnerabilities.
Re: Expert says Adobe Flash policy is risky
Posted: Fri Nov 13, 2009 2:06 pm
by Giorgio Maone
Alan Baxter wrote:Does this article imply there's a known flash exploit that can compromise Firefox?
Yes.
It's basically a cross-site scripting attack using Flash on sites which allow uploading of generic files.
I would think Secunia would list this as a vulnerability, but so far Secunia says there are no known unpatched Flash vulnerabilities.
It's technically not an "unpatched vulnerability". It's the way Flash works, and there's no easy fix.
Web sites could take countermeasures, but in some situations (e.g. social networks) they're hardly feasible.
So your best bet is using NoScript, better with "Apply these restrictions to trusted sites as well".
Re: Expert says Adobe Flash policy is risky
Posted: Fri Nov 13, 2009 3:35 pm
by Alan Baxter
Thank you for the explanation. It sounded like a "a cross-site scripting attack using Flash" to me too; it helps for you to clarify it like that. I think I mispoke when I said "there's a known flash exploit". Neither the cnet site nor the blog it links report an existing exploit, only a vulnerability, but I'll continue to use "Apply these restrictions to trusted sites as well".
Re: Expert says Adobe Flash policy is risky
Posted: Sat Nov 14, 2009 2:01 pm
by therube
foregroundsecurity.com:
Flash Origin Policy Issues
Supposedly Silverlight is better (or can be better) in this regard.
(But then, who uses Silverlight?)
FYI on js control for new silverlight build
Don't you know Flash can do Javascript?
Re: Expert says Adobe Flash policy is risky
Posted: Mon Nov 16, 2009 5:14 pm
by Alan Baxter
Adobe Flash attack vector exploits insecure web design • The Register
The threat is far from restricted to Adobe Flash and could involve other forms of active content, including JavaScript. The root cause of the problem arguably lies with insecure web design practices that are deeply ingrained on the internet.