More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said. That means that an untold number of sites - many of them used for banking, ecommerce …
People can't fix what hasn't been explained
I remember when this story broke a little while ago and all we got was a very vague article saying that some Flash content was somehow vulnerable, but no further details. It wasn't clear whether the person who wrote the report had actually released any details or wanted people to pay for his book (or whatever it was) to find out, or whether the details were out there but not reported in the article. Lots of people asked for more information, as I remember...
This article still tells us nothing, except that some Flash content may have some kind of vulnerability, maybe related to sites with login details or something... It's not really surprising that there are still vulnerable Flash files on the net given the problem has not really been explained (at least not here), and nor have the solutions. (Can existing Flash files be patched? Do they have to be re-made from scratch? What's the deal?)
Good commercial practice
"the third parties frequently say they no longer have copies of the old content,"
Really? What sort of contracts do Banks write with their suppliers? If theay contain no commitment to maintenance, then they deserve to pay again. I hope the replacements are properly archived.
When I ran a business we had to keep records for between 6 & 10 years. Certainly for anything that looked like a business claim or proposal.
"Flash files produced by Adobe DreamWeaver contain a "skinName" parameter that can be exploited to force victims to load arbitrary URLs that include the "asfunction" protocol handler. SWF files generated with Adobe Acrobat Connect don't properly validate the "baseurl" parameter, allowing script injection. "
So yes, it's a recompile job. Assuming you have the source to that binary the contractor delivered.
So... rather than fix whatever component browsers are using to render and execute this buggy Flash, the solution put forward appears instead to be to fix all the authoring tools so they can no longer produce it? Am I missing something, or is this logic sorta... backwards? Can't they just fix the Flash renderer so it doesn't load arbitary URLs?
pay peanuts, get gremlins...
Speaking from hard earned experience - a fairly substantial problem for many of these organisations is that they simply don't have in-house expertise, and often therefore, given the creative nature of Flash and it's visual appeal and impact, the work is outsourced to PR and design agencies - with whom they may or may not have an explicit contract (which, in any case, is unlikely to include software service and maintenance clauses).
Many of these PR and design agencies also frequently have no in-house development and scripting expertise, they just know how to make it look good for lots of money, which they do, before indenturing some freelance-bedroom-enthusiast-scriptkiddy to code it into life.
These agencies offer little in the way of financial reward, and then proceed to keep changing the pixel-perfect but functionally inept brief, whilst refusing to increase the incentive, as it becomes clear that what they originally scoped isn't actually practical, or doesn't ultimately float the end-clients boat when they finally get to see it in action.
And so, as soon as humanly possible, the scriptkiddy delivers the job, waits several months to be paid their pittance and then refuses to take any further jobs from the soul-rapists.
Sure - it's the scriptkiddy's fault - after all, they should have known all about project management and proper development methodology and how to deal with scope-creep, and that the world is full of prowling nonces just waiting to screw them when all they really wanted to do was a earn a little extra cash - c'est la vie! - after that they have no moral obligation to give a damn.
Thanks Tom, I missed that follow-up when it came out.
As I understand it then, old Flash files hosted on sites that don't use login details or sessions are a non-issue?
That's what happens
Remember when the intarwub was mostly populated with html-wrapped text? I say, these were the good old days. Maybe it's not too late. Maybe we can get back to the good old ASCII-art pr0n. All we need to do is to join a 1337 VX 733|\/| and help develop and spread "sanitizers". Harrrr!
I've been plagued for years by bad flash apps. Usually pretentious and/or annoying, but almost always buggy.
Flash just isn't stable. Even without vulnerabilities it has memory leaks, and resource leaks that case the flash player to crash after a few minutes to a few hours.
Mix that with the usual Godawful programming and you get your web browser zooming up to 100% CPU because of some crappy ad that the site you visit has inserted/had inserted.
The solution - at least for firefox users - is the wonderful flash blocker FlashBlock (natch). Now I get nice neat rectangles where otherwise there would be some annoyingly animated ad zooming across the screen to block what I am reading. In the event I actually want to see the flash I simply click on the placeholder and voila! Technicolor excrescence to met my hearts last desire.
plug-in advice @ Jerry
No Firefox/IceWeasel/wuteva plugin beats w3m. Nuf said.
Agreed, the flash plugin needs fixing not the content, otherwise malcontents will be torrenting old copies of dreamweaver to create more vunerable content.
Why are they using Flash for banking at all?
Good HTML should be all they use. Period.
Flash? Gash, more like!
Businesses who use this kind of bobbins on commercial sites should be left to die in a ditch.
(Looks pointedly at Honda UK).
@Aquilus & jubtastic
The broken Flash allows for XSS exploits (quote from original article : "Vulnerable content opens websites up to cross-site scripting (XSS) exploits that allow an attacker to perform any action available to a user of the targeted website"). So yeah, a spam pusher or russian mobster could put the flash on his website and steal the personal info you were about to submit... on his website.
The point here is that the vulnerable websites are corporate ones : banks, e-commerce, etc. When you run a website, and there's a vulnerability caused by something you (or most likely that chick from marketing who likes to download flash tutorials from the net to make purty blinking ads) put on one of your pages, you don't say "my customers should install the latest version of Adobe Flash Player, or even better switch to Links". You damn well go and fix it.
The reason is, you can't trust your users. You can't trust Grandma Jane who wants to buy a tricycle on-line for her grandson's birthday to have the latest version of IE/FF/whatever with all the plug-ins and the relevant Windows service pack.
The onus of making sure a user's input can't break your website, and that your website doesn't break the user's PC, is yours. If that means changing your pretty code so that it doesn't conflict with a buggy browser version, then so be it. Incidentally, this is why most commercial websites, at least those not done in Flash, use all sorts of ugly CSS tricks to work with the standards and with IE.
Only Good Flash is No Flash
I'm with Martin Budden here. What is Flash ever good for except bling and dumb games? It slows downloads, buggers seach and screws the disabled. Dump it.
No flash for me. Is gnash at risk?
I run linux on a PPC chip.
Adobe dont release flash for my system so I use the open source gnash. I wonder if this is at risk to?
I hate flash, anything propriety i dont really consider the internet.
Wah! This porridge is too hot!
As someone who produces flash business applications every day with success, I have to add...
Oh boo-hoo, you big fucking babies.
It is all very well saying to fix the Flash renderer, but what's to stop people using the old versions that aren't fixed? You're site would still be vulnerable. All the holes need to be plugged.
"As someone who produces flash business applications every day with success"
Define "success" please. Is your goal to produce something that is functional, usable by everyone and secure, or are you and your clients happy with "ooo, lookit the shiny stuff" at the expense of everything else?
If you answered yes to the first of those, fair play to you for making the effort, but can you *really* trust that your hard work isn't compromised by something like this vulnerability, which is largely out of your control?
Flash is perfectly OK for games and animations. Used *right* it's tolerable for brochureware type sites, but sadly, it's seldom used right (I firmly believe that all web designers should be forced, one day per week, to use a slower PC with one smallish monitor, and a heavily throttled internet connection, to remind them of what most normal users of their sites will be experiencing).
Flash has no fucking business whatsoever being used for security critical applications, as this issue proves beyond doubt.
@ the porridge is too hot
Not too hot, but too cold, tastes bad and stick to the tongue.
Flash on webpage is annoying and useless. You flash developpers will burn in hell, together with spammers, scammers and botnet herders, you know that?
"You flash developpers will burn in hell, together with spammers, scammers and botnet herders, you know that?"
That flame icon really works! Must remember to tell the pope.
Mine's got the teary kleenex in the pocket mate...