back to article Buggy Flash code continues to plague the web

More than three months after researchers documented serious vulnerabilities in Flash content that left tens of thousands of sites wide open to attack, few webmasters have bothered to remove the buggy files, a security expert from Google said. That means that an untold number of sites - many of them used for banking, ecommerce …

COMMENTS

This topic is closed for new posts.
  1. Leo Davidson

    People can't fix what hasn't been explained

    I remember when this story broke a little while ago and all we got was a very vague article saying that some Flash content was somehow vulnerable, but no further details. It wasn't clear whether the person who wrote the report had actually released any details or wanted people to pay for his book (or whatever it was) to find out, or whether the details were out there but not reported in the article. Lots of people asked for more information, as I remember...

    This article still tells us nothing, except that some Flash content may have some kind of vulnerability, maybe related to sites with login details or something... It's not really surprising that there are still vulnerable Flash files on the net given the problem has not really been explained (at least not here), and nor have the solutions. (Can existing Flash files be patched? Do they have to be re-made from scratch? What's the deal?)

  2. Robert E A Harvey

    Good commercial practice

    "the third parties frequently say they no longer have copies of the old content,"

    Really? What sort of contracts do Banks write with their suppliers? If theay contain no commitment to maintenance, then they deserve to pay again. I hope the replacements are properly archived.

    When I ran a business we had to keep records for between 6 & 10 years. Certainly for anything that looked like a business claim or proposal.

  3. Tom Chiverton
    Boffin

    Whats up

    Leo: http://www.theregister.co.uk/2008/01/02/buggy_flash_fix/

    "Flash files produced by Adobe DreamWeaver contain a "skinName" parameter that can be exploited to force victims to load arbitrary URLs that include the "asfunction" protocol handler. SWF files generated with Adobe Acrobat Connect don't properly validate the "baseurl" parameter, allowing script injection. "

    So yes, it's a recompile job. Assuming you have the source to that binary the contractor delivered.

  4. Aquilus

    Backwards?

    So... rather than fix whatever component browsers are using to render and execute this buggy Flash, the solution put forward appears instead to be to fix all the authoring tools so they can no longer produce it? Am I missing something, or is this logic sorta... backwards? Can't they just fix the Flash renderer so it doesn't load arbitary URLs?

  5. cormski
    Flame

    pay peanuts, get gremlins...

    Speaking from hard earned experience - a fairly substantial problem for many of these organisations is that they simply don't have in-house expertise, and often therefore, given the creative nature of Flash and it's visual appeal and impact, the work is outsourced to PR and design agencies - with whom they may or may not have an explicit contract (which, in any case, is unlikely to include software service and maintenance clauses).

    Many of these PR and design agencies also frequently have no in-house development and scripting expertise, they just know how to make it look good for lots of money, which they do, before indenturing some freelance-bedroom-enthusiast-scriptkiddy to code it into life.

    These agencies offer little in the way of financial reward, and then proceed to keep changing the pixel-perfect but functionally inept brief, whilst refusing to increase the incentive, as it becomes clear that what they originally scoped isn't actually practical, or doesn't ultimately float the end-clients boat when they finally get to see it in action.

    And so, as soon as humanly possible, the scriptkiddy delivers the job, waits several months to be paid their pittance and then refuses to take any further jobs from the soul-rapists.

    Sure - it's the scriptkiddy's fault - after all, they should have known all about project management and proper development methodology and how to deal with scope-creep, and that the world is full of prowling nonces just waiting to screw them when all they really wanted to do was a earn a little extra cash - c'est la vie! - after that they have no moral obligation to give a damn.

  6. Leo Davidson

    Thanks Tom

    Thanks Tom, I missed that follow-up when it came out.

    As I understand it then, old Flash files hosted on sites that don't use login details or sessions are a non-issue?

  7. Pierre
    Pirate

    That's what happens

    When fancyness and low-cost is rated higher than security. Ditch Flash, ditch JavaScript, don't jump aboard the SilverLight bandwagon.

    Remember when the intarwub was mostly populated with html-wrapped text? I say, these were the good old days. Maybe it's not too late. Maybe we can get back to the good old ASCII-art pr0n. All we need to do is to join a 1337 VX 733|\/| and help develop and spread "sanitizers". Harrrr!

  8. Jerry
    Go

    Slash Flash

    I've been plagued for years by bad flash apps. Usually pretentious and/or annoying, but almost always buggy.

    Flash just isn't stable. Even without vulnerabilities it has memory leaks, and resource leaks that case the flash player to crash after a few minutes to a few hours.

    Mix that with the usual Godawful programming and you get your web browser zooming up to 100% CPU because of some crappy ad that the site you visit has inserted/had inserted.

    The solution - at least for firefox users - is the wonderful flash blocker FlashBlock (natch). Now I get nice neat rectangles where otherwise there would be some annoyingly animated ad zooming across the screen to block what I am reading. In the event I actually want to see the flash I simply click on the placeholder and voila! Technicolor excrescence to met my hearts last desire.

  9. Pierre

    plug-in advice @ Jerry

    No Firefox/IceWeasel/wuteva plugin beats w3m. Nuf said.

  10. jubtastic1
    Stop

    re: backwards

    Agreed, the flash plugin needs fixing not the content, otherwise malcontents will be torrenting old copies of dreamweaver to create more vunerable content.

  11. Martin Budden Silver badge
    Unhappy

    Why are they using Flash for banking at all?

    Good HTML should be all they use. Period.

  12. Anonymous Coward
    Flame

    Flash? Gash, more like!

    Businesses who use this kind of bobbins on commercial sites should be left to die in a ditch.

    (Looks pointedly at Honda UK).

  13. Laurent Leconte
    Pirate

    @Aquilus & jubtastic

    The broken Flash allows for XSS exploits (quote from original article : "Vulnerable content opens websites up to cross-site scripting (XSS) exploits that allow an attacker to perform any action available to a user of the targeted website"). So yeah, a spam pusher or russian mobster could put the flash on his website and steal the personal info you were about to submit... on his website.

    The point here is that the vulnerable websites are corporate ones : banks, e-commerce, etc. When you run a website, and there's a vulnerability caused by something you (or most likely that chick from marketing who likes to download flash tutorials from the net to make purty blinking ads) put on one of your pages, you don't say "my customers should install the latest version of Adobe Flash Player, or even better switch to Links". You damn well go and fix it.

    The reason is, you can't trust your users. You can't trust Grandma Jane who wants to buy a tricycle on-line for her grandson's birthday to have the latest version of IE/FF/whatever with all the plug-ins and the relevant Windows service pack.

    The onus of making sure a user's input can't break your website, and that your website doesn't break the user's PC, is yours. If that means changing your pretty code so that it doesn't conflict with a buggy browser version, then so be it. Incidentally, this is why most commercial websites, at least those not done in Flash, use all sorts of ugly CSS tricks to work with the standards and with IE.

    This is also why you should never ever trust user input, even "validated" by Javascript, and always run server-side checks.

    Rant over.

  14. Ralph B
    IT Angle

    Only Good Flash is No Flash

    I'm with Martin Budden here. What is Flash ever good for except bling and dumb games? It slows downloads, buggers seach and screws the disabled. Dump it.

  15. paul
    Linux

    No flash for me. Is gnash at risk?

    I run linux on a PPC chip.

    Adobe dont release flash for my system so I use the open source gnash. I wonder if this is at risk to?

    I hate flash, anything propriety i dont really consider the internet.

  16. Anonymous Coward
    Flame

    Wah! This porridge is too hot!

    As someone who produces flash business applications every day with success, I have to add...

    Oh boo-hoo, you big fucking babies.

  17. Anonymous Coward
    Anonymous Coward

    Re: Backwards

    It is all very well saying to fix the Flash renderer, but what's to stop people using the old versions that aren't fixed? You're site would still be vulnerable. All the holes need to be plugged.

  18. Paul

    @Myro Stadler

    "As someone who produces flash business applications every day with success"

    Define "success" please. Is your goal to produce something that is functional, usable by everyone and secure, or are you and your clients happy with "ooo, lookit the shiny stuff" at the expense of everything else?

    If you answered yes to the first of those, fair play to you for making the effort, but can you *really* trust that your hard work isn't compromised by something like this vulnerability, which is largely out of your control?

    Flash is perfectly OK for games and animations. Used *right* it's tolerable for brochureware type sites, but sadly, it's seldom used right (I firmly believe that all web designers should be forced, one day per week, to use a slower PC with one smallish monitor, and a heavily throttled internet connection, to remind them of what most normal users of their sites will be experiencing).

    Flash has no fucking business whatsoever being used for security critical applications, as this issue proves beyond doubt.

  19. Anonymous Coward
    Anonymous Coward

    @ the porridge is too hot

    Not too hot, but too cold, tastes bad and stick to the tongue.

    Flash on webpage is annoying and useless. You flash developpers will burn in hell, together with spammers, scammers and botnet herders, you know that?

  20. Anonymous Coward
    Coat

    Hooooowee!

    "You flash developpers will burn in hell, together with spammers, scammers and botnet herders, you know that?"

    That flame icon really works! Must remember to tell the pope.

    Mine's got the teary kleenex in the pocket mate...

This topic is closed for new posts.

Other stories you might like