Disable/enable Flash in one click
Here is an easy way to disable/enable the Flash player in just one click:
Researchers from Google and a well-known security firm have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors. The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics …
This sounds no different from phishing, just a little more automated.
Seriously, are people still stupid enough to click on a 'malicious link' in hopes of visiting their banking site ?
In addition, how could this really be called a 'flash' vulnerability? Just like any other web programming, shouldn't the person authoring the flash aught to actually validate the parameters? 'Never trust the input' is a good mantra.
Of course, I am only making major assumptions given this tiny snippet of information, since of course the critical details can only be obtained by buying the book.
Well, the authors now have a nice little money spinner with this nicely crafted fear campaign.
This is, in my opinion, the result of two glaringly obvious design flaws.
1. According to the article, a cross-site scripting "attack" can inject variables into a Flash object. If this is true, it's because variables can be set in the HTML code or as part of the request. This is a huge security problem in and of itself. When you create a program (applet, application, whatever) you design it (or at least should design it) so that it is a closed system except for an input parameter string, and your program should parse and process the parameter string. You should not process the parameter string without validating the input, and you most certainly should not allow variables to be set from outside the program.
2. This is the big one. From the beginning of the browsers (at least as far as I am aware), browsers have been stupid about sessions. Browsers assume that from the moment the browser is opened to the moment the browser is closed, any visit to a website is the same session, no matter which window or tab is making the request. This is, in my opinion, another huge security problem. This is the reason cross-site scripting works -- because browsers are stupid about sessions. A session should be a single window/tab, and any children of that window/tab (so a session can contain multiple windows/tabs, but only ones spawned by the original).
Let's say I open two Firefox windows. I go to my online banking site in one window and pay some bills. Keeping that first window open, or closing it (without using my bank's proper logout procedure), I then go to exploitmenow.com in the second window. Because the browser executable has not been closed, the browser treats this as the same session as the first window. There is no reason for that second window to be able to access my banking session details or be treated as the same session. But if, in that second window, I then go to my online banking site, I'll go right in without authenticating because it's treated as part of the same session as the first window.
Now, I understand there are issues with separating sessions. And I understand PHP sessions are probably treated the same (or similar). But it still doesn't make it right. In order to secure our browsers, we first need to secure our sessions. And the way to do that is to treat every window/tab (except for children) as individual sessions.
Additionally, one window/tab should not be able to access the content of another window/tab unless it has a parent/child/sibling relationship.
Lastly, a "pet peeve" of mine. In recent months, it seems that the editorial staff (if there is any) at El Reg have quit proofreading the articles. Articles are released with multiple spelling and grammar errors, and I'm not talking about UK English vs US English; I'm talking about missing/added words and missing/added letters. I'm not singling out this article, because it seems to be a regular occurrence now. This article was just the "final straw" due to the number of errors I noticed upon a quick reading (3 errors -- "tens of thousands websites", "vulnerabile", and "completeley"). I know that content is typically considered more important than presentation, but it makes it more difficult to read, not to mention it just looks bad.
There is too much fancy content when HTML table would look just as good and work much better and more securely on dialup & Mobile Internet Modems.
I recently installed FlashBlock on Firefox as some sites are now impossible to concentrate on the text with all the Flash Animation.
There is far too much animated content. You can only view ONE animation/video at a time.
I make a point of deleting flash whenever it appears. It would be nice if it would stay deleted. IE is used for development testing and windows updates, never for anything else. Firefox is used for browsing, again without Flash.
Nice to know I got something "right" even if my purpose was completely different! I got fed up with too many sites putting too many animations on their pages and them proving to be a distraction to the content in which I was interested.
Marketing people please note, I use the web for MY purposes, not yours. It is MY computer, not yours and it is MY broadband connection, not yours. I may read static adverts, only ones I see now, I may even click the odd one, but flash is staying away. Life is so much more peaceful without it !
Just as an in passing, I had thought that "vulnerabile" was a deliberate to describe some sort of very unpleasant attack of the lets-all-be-scared-monster.
Seriously, active content has always had problems with people exploiting it for actions that were not intended by the script authors. The whole idea was not thought through as a secure system, it was developed as a that-would-look-great-gee-whizz vision. It may well be technically feasible to do all sorts of things, but is it wise to try?
As an ordinary punter looking at web sites, I am so less than impressed by things that move and do things inside my browser that I routinely turn them all off (Firefox with NoScript, Adblock or Adblock Plus, etc) unless I really cannot manage without. Lets go back to HTML3, no active content, and start all over again. Getting it right this time!
[And please can I have an icon with steam coming out of my ears!]
As a Flash author, I feel that advertisers have given honest developers and designers everywhere a bad rap! We don't set out to intentionally annoy the hell out of visitors. Quite the opposite. At least for me, one of the initial reasons I got into Flash was for that fancy wow factor - back in Flash 4. Over time, I've taken much more of a function over form approach. That is to say most, if not all of my flash work these days involves less and less animation. I should point out that most of my work is also targeted at the user's desktop and not web browsers.
Even so, it's quite dispiriting reading these comments and discovering so many of you indiscriminately blocking all flash content because of content like the annoying animated adverts, when there is a veritable plethora of fine flash efforts that don't shout and scream at you.
Stop this Flash-bashing forthwith.
I think you will fnd that the brilliant Giorgio Maone has the issue of cross-site scripting vulnerabilities more than adequately covered with his Noscript extension for Firefox.
If for some reason this particular issue is not covered then you can bet your bottom dollar that before you can say 'Flash', the Itallion Stallion will have banged out an update for his masterwork.
Maybe Flash is the web equivalent of Powerpoint. If it looks pretty then that's all you know and all you need to know. Never mind the quality and all that. It's not there for yer average Reg reader, it's there for the rest of the punters.
But it's also there for serious reasons - bringing informative and sensitive information to us. http://www.weebls-stuff.com/wab/CSI/ for example.
Yes, it's a nuisance if there isn't a 'skip intro' available but for animation it's been superb. Might just need a wee bit of tidying up, is all.
It would be nice if Reg contributors were limited to those who explain what's going on. We seem to be having to piece together what this threat actually is. It would appear it is actually several code generators that are at fault rather than Flash, but it's not by any means explained. Journalists should seek out the facts and not just repeat hearsay.
Along with Java Applets, Flash has always been seen as a security risk. Most secure operations block them on the firewall.
Personally I do use flash for streaming media, but it should never be integral to a site.
This is why having something like ogg vorbis becoming the standard multimedia delivery format is important. Most developers want something that turns the static web into something more akin to a functional networked program, and we need that to be an open format, primarily for security. Java whilst I think it may have become more open, still has a remit that is too far reaching, and it rides over browser security, it can only be used really in intranets.
"Don't read TheReg then...
Content is far more important than the quality of the grammar, you managed to ascertain what was going on from the article, didn't you?"
^^ Wonderful - if it's broke, why fix it? Sounds like a lot of programmers I know...
You can apply this to the article too - if flash is so awful, why use the internet?
Chris C writes, about halfway up the scroll:
"...This article was just the "final straw" due to the number of errors I noticed upon a quick reading (3 errors -- "tens of thousands websites", "vulnerabile"...)..."
I think that may have been deliberate -- perhaps to slyly define another company's/consultant's effort to create a phony "vulnerability" scare in order to sell books and/or software...
As in, "...this Phlash Phishing scare is just a big load of vulnerabile..."
Um, yeah; mine's the black trench...
Michael, you sort of have a point. Hindsight is 20/20. And FireFox certainly has its fair share of security vulnerabilities.
But... The more software you apply to solve something, the more holes you invite. Flash, for many of us, is not bringing anything useful to the table. It makes little sense for us to allow it to run, adding to the amount of software that needs to be kept updated because 'shIT happens'. Users are tricked into expanding the exploitable surface because... We need ads with moving pictures?
I will even go one further: Some people use personal firewalls and antivirus packages for protection. IMO they are increasing the amount of software that runs for no real clear gain. Some folks think such software make them invulnerable, hence activate attachments and surf like never before, not thinking for a minute that they're still _very_ vulnerable to new threats launched after they previously updated their signature file.
To me, AV products look like the perfect scam. There are packages that will apply heuristics as to avoid future threats, but such an approach has an obvious flawed business model compared to the traditional subscription based tools... :P
As for flash... In my previous job I helped develop a realtime stock information system. Our biggest threat was poorly designed ad flash applets that stole the user's CPU, leaving us with naught. DOS anyone? Our users sure thought so. :(
I'm a professional web developer. I've used many different technologies (including flash). ALL have potential security risks in the hands of a bad programmer. As has been stated earlier, it's a question of acknowledging these risks, and reducing them as much as possible.
What concerns me, is this particular Flash issue, where it occurs, and how we can take steps to fix it.
I understand that many people here would like flash to disappear tomorrow, but that's not going to happen. My employers and clients have invested too much time and money to drop it. I don't think they will be alone.
So far, the details are a bit sketchy. This may be in a bid to make us buy the book. However, I'd appreciate it if someone with detailed knowledge of the problem could help answer the questions below:
First of all, we need to establish if the issue relates to flash applications that handle secure data, or if just having a swf open when at the same time as a secure website can make the data vulnerable.
If the former, then it just affects flash developers. If the latter, then ALL websites should be concerned.
The vast majority of SWFs are compiled using the Flash Authoring tool or Flex. Neither of these have been mentioned as causing the issue. If that's the case, then this issue is going to affect relatively few SWFs. Going back to the first point, if the issue is only with SWFs that handle sensitive data, then this problem is even smaller, as it's unlikely that anyone would use the other tools (like DW or Connect) to build such applications.
Finally, developer's have been aware of cross-site scripting attacks for years. What makes Flash more vulnerable than any other technology?
"My employers and clients have invested too much time and money to drop it."
Utter nonsense. It wasn't an investment, it was a complete and total waste of money.
Caused, no doubt, by web designers who were ten times more competent at persuading them to pay for something they needed than they were at designing good web sites.
There are appropriate places for flash, but for the most part, its not appropriate for most web sites. And its especially inappropriate for adverts, because the first thing that advert haters block is flash.
With web sites, there's far too much "lets change it just for the sake of it" even when what was there before worked perfectly well.
Nobody likes change. Ask any supermarket buyer -- the thing they MOST hate about their local supermarket is that the products aren't on the same shelves as they were last week. And that's exactly what web designers are forcing on their customers by redesigning sites unnecessarily, unnecessarily replacing simple HTML menus by flash objects that can't be rendered with flash disabled (and which violate the disability discrimination act because flash objects are disabled-unfriendly).
Its time web designers studied the google home page. No trash, and it works perfectly well without flash.
How would we waste so much time on YouTube with no Flash? Or see how far we could throw penguins, virtual paper airplanes, microwave hamsters, understand Badger Badger Badger, Tigers in Kenya, liquidize frogs.
Infact what a lot of people here are inadvertaintly advocating, is WORK!
Here's to a bit more Flash
Flash is not the issue. Phishing is. The solutions are to continue to combat phishing and to educate people as to how to detect phishing and how to avoid being suckered in by it. This issue impacts ALL websites, not just ones with Flash. Being a web developer/designer, I resent the slant that this article is written in... anyone who lacks the facts and jumps to conclusions would think that Adobe/Flash are the root of the problem when that is simply not the case.
And to all the users who are bashing Flash (and blocking it), all you have to do is take 15 minutes and browse through the websites at www.thefwa.com and you'll see what you're missing. Just about every major corporation has built a full blown (and beautifully designed and executed, mind you) Flash website that blows away any html based site.
KJG's little rant goes to the heart of exactly why I hate web developers/designers etc. I agree that flash is not the root of the online security problem, but from what can be picked up from here, it is definitely part of it. XSS attacks aren't just simple phishing attacks that can be avoided by watching the location bar in IE or firefox. They can't be avoided by keeping to reputable websites. They mostly can't be firewalled out at layer 2, 3 or 4 (unless you refuse to route china, russia and the USA, which would offer slight protection). The only way XSS attacks can be prevented is if the web developers, browser developers and plugin developers have a clue about what XSS is, and code against it. For a webdev to come in here and point the finger at phishing and end-users shows that the said webdev is much more of a security problem than any of the tools he or she chooses to use.
As to SWF's merit as an artistic medium? Well, do whatever gets you paid. Personally, I choose not to frequent any site whose user experience begins with
The implementation of the program (FLASH) has been wrong from the beginning if you think of it. The company (Adobe) had set the default settings of FLASH to ALLOW applets to set data on users' disks (lots of space!!) and the use of cameras and microphones without telling the users before. Then, and only if you knew it, you could set the security to prevent all this but the settings were set throught the company website with perhaps more data snooping?? I cannot see any reason why the setings had to be made on Adobe's web site instead on a person's computer unless they want to know who is etting what and when.
For this reason I have, as many have done, blocked Flash content and I am now removing it completely. NO MORE "PROGRAM CALLING HOME".
In one post before a developer was complaining about users being against Flash content but he has not understood that putting a heavy flash object is already annoying to a fast ADSL connection and impossible for anyone with a dialup, leave alone if you connect through your cell phone and pay by the kilobyte.
So if companies would use it more sparingly and only when needed and if security was tighter and better used and if the companies that make these programs were not so utterly ignorant with the users perhaps we would use it again.....but maybe it's too late.
I didnt state myself too clearly. Perhaps brevity came to bite me. Or, didnt you notice the quotes around "right". Didn't this highlight something to you?
I dont use flash because I am sick to the back teeth of adverts leaping around the place as a visual distraction to the content I wish to see.
The fact that this had an unknown side effect of protecting me from some bug I knew nothing about was something I found worthy of note. A spot of serendipity no less. Nothing to do with hindsight.
I have always considered the provision of facilities to execute code on a users machine to be bad. I accept that controlling the users machine can be extremely useful, and in many circumstances perfectly acceptable. However, a few nits demonstrated the view I had and so java became disabled. Though, java is now re enabled once I had time to read through the documentation and determine that it was no real threat.
I have tried to look into buying particular products, to be thwarted by my lack of flash. Sad really, that companies do not have html sites, still, there are other sites publishing the information I sought, perhaps I shall buy that Volvo after all.
I dont use YouTube, I dont care what the BBC promote. I can live without these things, and do, I dont watch TV either, I am blissfully unaware of <fill in your soap here>.
It is nice to understand that flash isnt going to go away because of the investment by advertisers. Advertisers have never done anything to promote any technology. The real driver of technology is, and always has been, the porn industry. So, Mr advertiser, do all you desire, I shall never see your creations, your return in investment from my perspective is zero. With a zero return, you will run out of money and then you will have to go away. The .com bubble was filled with your acolytes and the NASDAQ is still worth less than 50% of its 2000 value.
Nice one Michael, said it better than I could have.
Flash can make quite innovative adverts. The only type that annoy me are those that jump on top of the text content.
All others are fine and being a highly advanced human (well at least smart enough to say, dress myself), I am perfectly capable of reading text content even with pictures on a page moving or not. If you are not capable of doing that then I worry for your own capacity.
El Reg etc require the funds from Ads. Guess what, people DO click them! I'm sure you think that it's just idiots but take a look around you. My guess is you have plenty of crap you don't need that you bought from somewhere.
This is what happens, I guess, when one company controls a very widely used piece of software. We've already seen numerous vulnerabilities in PDFs, so this should have been expected. Adobe might be forced into open-sourcing Flash so it can be thoroughly tested and get patched in a timely manner. Security updates "in a few weeks" is not good enough in this case.
Finally, criticising Flash for being responsible for over the top, waste of time animations is wrong! It is the designers, those who use Flash, who create these issues. Just as there are many examples of poor implementation, there are many examples of how Flash makes using the internet a more streamlined, enjoyable experience.
It is a pity this article seems to have focused on Flash and then brought out lots of out dated criticisms, losing focus on what would actually have been useful i.e. what the actual security issue is! What is the issue that makes already published .swf files vulnerable? Surely this is an issue where a .swf file has been produced specifically for these nefarious purposes and then triggers the trouble. I guess we have to wait and see.
Anyway - Merry Christmas!
I really would like to hear details of the 'vulnerability' just so I can begin checking our code and performing an assessment of wether or not this is a credible and realistic threat to the security of our customers.
In the past, many vulnerabilities have been reported on the Flash player, but most of them follow a similar kind of theme - the rogue SWF file must be created with third party authoring tools, and or modified in a hex editor, in order to put the malicious code in there to begin with. In addition, due to the security sandbox and crossdomain restrictions, it needs to be downloaded from your site anyway. So, its perfectly possible for a SWF to wreak havoc on a user's machine, the only caveat is that someone within a company, with access to the web servers and source code, would need to have created it in the first place - something I'm sure is indicative of a larger problem!
Oddly, most non Flash/web developers tend not to see it that way - I have a beautiful MP3 of a conversation I had with one of our 'Security' people who just consistently ranted on about undisclosed vulnerabilities as a reason not to use Flash in a project.
In my years of working with the web and the Flash platform, I have not yet seen a single workable exploit that could present a credible threat to the majority of Flash user's on the web, not without the user or the site already being compromised in some manner.
The only somewhat grey area is where Flash is used for online advertising, but you will find that most of the main publishers out there are aware of this and perform some level of code review on ads before they go live - I work for a bank and we don't run any 3rd party adverts without seeing the sourcecode and decompiling any SWF assets provided.
Really guys, the Flash platform isn't the cloud of evil you are making it out to be. Granted, it has been used for some really annoying things in the past, but used right, it can really help to deliver a friendly, usable and engaging user experience. In addition, in Adobe's hands we have seen it become more open than ever before - Flex, AMF, Tamarin, all released as open source in the past year. I'd be surprised if this trend does not continue.
To the anonymous coward who commented on my "rant" - I absolutely know what XSS is and the risks surrounding it. It doesn't take a rocket scientist to develop a website, with or without flash, to avoid these risks. It's the developers that are maliciously embedding this type of scripting within their websites and yes, the uneducated users who are clicking on unreliable and risky links and kicking off programs they should know better not to run. And I'm sorry that you don't frequent sites with .swf files due to the preloaders... you should think about getting off of dial up.
Thanks for the info re flashblock - works great, if I want to remind myself how bad a page looked before I can click the fb button then reload it.
I will assuage my guilt about not watching net adverts by concentrating studiously on TV adverts, I may even take notes, as I am sure all those who write annoying flash adverts do, out of a sense of duty.
I hope the advertising industry is able to continue in its proud tradition of increasing the price of goods while adding nothing to their value. I'm sure we'd all hate to see this disrupted.
using Dreamweaver to create websites which may be used for commercial transactions and may be vulnerable to xss due to the way it generates flash script. Then this article is not for you to worry about. Blocking flash= blocked transactions it's effective but inconvenient if thats how you normally do your banking for example.
Silly developers developing for developers. Heaven's forbid you see that animated pencil, or the animated paper plane in your addy's. Yes, you and I don't like it, but let me check my "reminders" list whom were designing and developing and marketing a "chunk" of the internet for again.
Now, I have a busy day, I have to view 20 videos on youtube, check my myspace, upload some pictures to flickr for my buddies and then go superpoke some "friends". You know. Important stuff that the web isn't' really for ;)
I generally find that sites built with flash are more interested in appearance than usability. On several occasions I've gone to a website, got the Loading... window with a "Skip Intro" button and never gone back. I tend to tag such sites as aimed at the marketing department, whereas the easy-to-navigate ones are aimed more at engineers and people who want to get something done.
To whoever it was in the rant-fest that said that flash is disabled-unfriendly, I believe it will interact with screen readers if done properly.
OK, so I've been a pioneer in the software and artificial intelligence industry for over 30 years, and this article included one sentence that attempted to describe just how this alleged vulnerability works, and I STILL DON'T UNDERSTAND. Tell me how my web page with a little SWF pie chart is presenting a huge vulnerability to hundreds of thousands of users. Does someone have to steer my customers to a different site that LOOKS like mine? Does my SWF have to load content from a THIRD PARTY web site? What the HELL is the vulnerability? You still haven't explained it. Just emotional scare words.
Sad to say, Adobe is overtaking Microsoft as the new "evil doer." I love Flash and have been a proponent of it since it was in beta in 95. However, it has always been prone to the the anti-consumer arrogance of Macromedia Shockwave developers and the cult of the CD interface designer ("developer knows best").
Today, the truth is, Flash is far behind other web technologies in accepting responsibility for opening up its platform. Even the most simple changes would help tremendously.
For example, compare the pathetically small number of user options that appear when you right click a flash object in a browser to the wide number of options you have when right clicking on other web page objects such as images. Flash gives you nothing by comparison - you can't view source code, you can't disable, you can't save -- the list goes on. By comparison, you can't do a damn thing. The RIAA couldn't have done a better job of locking up content.
The evil bottomline: Adobe doesn't trust end users. So why should we trust Adobe? This goes to core brand values in the corporate culture and will affect shareholder equity.
Gave up on it years ago as a web developer, seemed to me that it was mixing the design and development too much and also trying to make a new standard for the web.
Also it is generally underestimated by the same ignorant web designers how many people do not use flash. On so many flash only sites there is no alternative content, which as a linux user running a flash version at least 1.0 behind everyone else, i just don't go back to those sites.
Adobe... please stop, you don't own the internet and flash is not the pancea for a diverse internet.
How about some vulnerability / exploit details? This "wait for the book to come out" attitude is completely and totally irresponsible.
Like it or not, Flash is here to stay (think "I" in "C-I-A"), and as security professionals, it's our job to mitigate the risks while making things available for end users. Sticking our heads in the sand and turning off / blocking Flash might work fine for your personal computer, but it's an unrealistic expectation for most corporate environments -- and even for most end-users who WANT it (now there's a concept!).
On the other hand, saying that the Flash sky is falling, then saying that we need to wait until next month and buy a book to find out why, is ridiculous and unprofessional. Would somebody PLEASE publish the details so that we can take action that doesn't involve blocking stuff that people want and -- GASP! -- "need"?
One notable exception to this of course is the use of video to display a product being used or operated for example. Java is perfectly capable of streaming media in such instances, and being OSS is more secure and controllable than the closed proprietary Flash. However, this is again only where it is necessary to display the product in this fashion; most products can sell well enough without it.
The result? Several of our clients who had their sites redeveloped by us (and all the Flash crap removed in the process) have reported significant increases in traffic and sales. People who are online looking to buy something aren't impressed by glitzy presentations: they want product info, availability, after-sales service and prices, in plain simple English, easily searched, and with no bullshit.
For my part, I also use FF+ABP/NS to block Flash content on nearly every site I visit. I have it unblocked specifically for sites that genuinely need it for their functionality, such as YouTube, but that's it. As to the argument about webmasters needing ads to make money, they'll make more by using text-only ads (such as Google AdSense) and not pissing off their visitors with annoying bouncing animations that just get blocked. If they really feel the need to ruin their sites with such crap, they deserve to go bust, and they get no sympathy from me.
Ok, Flash has a problem and those who don't like it jump on it. But your rants aren't mainly about security.
What you dislike is simply the fact that webdesigners use Flash for their own pleasure: they don't realise that the user is most of the time unabled to recognise an animation in Flash or else, because he/she don't care, they should almost realise that, for the user, there's a time, a circumstancy, where Flash or else is OK and otherwise this is not the moment.
Most of you on here trashing Flash, are criticizing the ads and animations. This is akin to trashing every website out there using HTML and browsers because of "pop-up ads".
Sure, they suck...but that doesn't mean all HTML websites viewed in a browser suck...
Sadly, many people have only seen that side of Flash. They haven't seen the web application end of things. Partly because many of those applications are used internally.
Before AJAX became a buzzword, I was writing and using web applications based on Macromedia Flash which included drag'n'drop scheduling, behind the scenes data loading and updating of front end objects. Today, Flash applications and technologies have gone even further.
Check out http://www.buzzword.com/ to see a Flash application. (It's an online Word processor. Mind you, it is in beta.)
Or go google "Quake in Flash", and see Flash Player running Quake....
"And I'm sorry that you don't frequent sites with .swf files due to the preloaders... you should think about getting off of dial up."
Very witty. Unfortunately for your rather small world, there are a shit load of sites out there where the preloader sits around for up to a minute on a multi-megabit connection, best case. If their server's busy you can grow old and die waiting. Try wandering round the auto manufacturer sites, you'll hit a few quite quickly.
I'm sure that in their nice shiny web design offices with Gigabit Ethernet to the desk it all looked OK though and it's so nice to have on the CV........
I'm with the Anon Cow on the "it looks like shit and anyone doing that should have their wossanames removed" side of the fence. This one's been top of my "Wow that sucks" list on visiting a web site for the first time for a good while now.
Biting the hand that feeds IT © 1998–2019