Google, Adobe barricade Flash against hacker hordes – we peek inside Google's team of computer security gurus have described the anti-hacker defenses they've helped Adobe add to Flash Player. It's hoped that these mechanisms will thwart or frustrate miscreants' attempts to exploit programming bugs in the software, and thus hopefully prevent attackers from hijacking victims' PCs and Macs. The …
JavaScript arrays don't have this problem, why should ActionScript vectors? It's a scripting language, you shouldn't be able to furtle with internal variable details or overwrite other objects in the array or any of that stuff.
So the fix of thinking of a secret special number and storing it in the vector is less of a fix and more of a cludge.
"It's a scripting language, you shouldn't be able to furtle with internal variable details"
You're thinking too high level. JS and AS can both be vulnerable to memory corruption leading to exploitation. You have to exploit a bug to furtle with the vector length value - such as a buffer overflow or use-after-free().
eg, in ActionScript, let's say your plugin's memory looks like this: B = buffer byte, V = vector byte, L is the vector length, and . = empty space. You've got two objects, a buffer and a vector allocated near each other:
BBBB....LVVVV
There's a missing bounds check on the buffer, so you overflow it by writing too much data to it (from your malicious Flash file) and run over the nearby vector. * = the smashed length:
BBBBBBBB*BBVV
So moving the buffer objects well away from the vector objects prevents you from easily overwriting the length value.
Now, you can do this in JavaScript. There are plenty of exploits in the past where a use-after-free() has been exploited to modify memory allocated on the heap.
C.
This post has been deleted by its author
"expose such internal structures to do it's job?"
They don't. But they all use memory: they use memory to store variables. Variables store information for the running Flash script file. When you're using variables, you're using memory. If you abuse variables by exploiting one of the hidden design flaws in Flash you can change parts of memory that don't contain script variables but do contain information crucial to the operation of Flash. This allows you to change the way Flash works, which eventually leads to the plugin running malicious code.
Flash doesn't expose its non-variable data to the ActionScript programmer. But it has hidden design flaws that people can find and exploit to access non-variable data, and change the way Flash works.
C.
But why are we talking about a scripting language having problems allocating and deallocating space for values as if it were something normal? Designing a scripting language is a solved problem and any bugs should have been fixed in one which is 10 years old.
The fix is not a proper fix either, which is another sign that the memory handling in Flash is beyond repair.
>It's a scripting language
I think the problem is less with the scripting language implementation than with the idea of a plug-in used almost exclusively for displaying video having a complex runtime environment at all. The best mitigation would be for Adobe to produce a version of the plug-in that only renders video - that would be a vast security improvement for most actual use cases. Of course, it would be the death of Adobe's cross-platform interactive media ambitions, but they've pretty much managed to nail themselves into their own coffin already (though unfortunately it's so full of holes, they're still able to breathe...).
This post has been deleted by its author
That chance was open-sourcing the interpreter, or at the very least publishing the spec.
If you want something to become universal on the Internet, it has to be based on an open standard.
Had it been the case Flash would have been fixed a billion years ago, or at the very least it would have been made fast.
"A cut down version ... that could only play videos with no scripting ability would meet over 90% of user requirements."
Well yes, but I reckon you could safely say somewhere around 98-99%.
If you set aside Flash video playing and consider only the scripted stuff, on my (wild!) guess, it would account for some pitifully tiny share of the market and be dwarfed by even dead things like Silverlight.
Disclaimer: I am deliberately excluding areas of zero possible interest to the intelligent person, such as on-line games. They can have some other thing, with some suitably trendy name such as MutantSonOfFlash, based on the same lousy code as the existing Flash, and installed only by those who want it - i.e., practically no-one we care much about. Meanwhile, Flash can just play videos. Surely they could get that right. Couldn't they? Er ...
To: Adobe Execs
Subject: Flash needs to be eradicated
Dear Execs,
All of us in the InfoSec circles, our 80++ year old parents know it, why don't you?
Adobe Flash is one giant, sucking black hole of back doors and must die.
Signed,
The users of machines expecting a modicum of security.
>> the fact that Adobe can't find every bug in its source code
Helpful Bug Finder Subroutine for Programmers working at Adobe:
1. Open your favorite programming code editing tool
2. Start at Line 1.
3. It is a bug. Delete said line.
4. If there are lines of code remaining, go to Step 2.
Once you have completed this subroutine you will have purged your application of all bug's and the world will be forever grateful.
You would be surprised how functional the internet is without flash
I find large chunks of pages fail to render, telling me that I need Flash installed.
Said chunks are invariably towards the edges of the page, and their absence doesn't seem to detract from the content I've gone there to find. I can't imagine what's in them...
Vic.
Back when flash was still a thing. But with first Apple, then Android, now Firefox all dropping flash, and many of us personally dropping it (or mostly dropping it via Flashblock) it is too little too late by a long shot.
This is like fixing the barn door after the horse bolted and died of old age.
I just had my browser pop up a an alert that Flash is out of date and needs to be updated, and resignedly clicked on the button to start the download. Then two things occurred to me: 1) I thought I had already updated it in the past couple of days, and 2) that wasn't actually the same text that I recalled from previous alerts. I checked the Downloads directory, and sure enough, the file had a different name from Adobe's usual habits, and the URL associated with the file wasn't Adobe. Haha, no.
If I hadn't already had to update the goddamned thing twice this week, I probably wouldn't have fallen for the driveby download attempt...
(I'm sure this isn't new, of course, but it's the first time I've seen it; and it's certainly well-timed.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
