Adobe Flash Player Applications : How secure are they ?

Discussion in 'Computer Support' started by pokhara67, Jul 9, 2007.

  1. pokhara67

    pokhara67 Guest

    a colleague at work suggested he could write a Flash application which
    could compromise a user's hard drive data.

    is this possible ?
     
    pokhara67, Jul 9, 2007
    #1
    1. Advertising

  2. pokhara67 wrote:
    > a colleague at work suggested he could write a Flash application which
    > could compromise a user's hard drive data.
    >
    > is this possible ?
    >

    Report your colleague to Homeland Security.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #2
    1. Advertising

  3. pokhara67

    pokhara67 Guest

    On Jul 9, 3:13 pm, Rôgêr <> wrote:
    > pokhara67 wrote:
    > > a colleague at work suggested he could write a Flash application which
    > > could compromise a user's hard drive data.

    >
    > > is this possible ?

    >
    > Report your colleague to Homeland Security.


    neo-con-nazi

    he didnt say he was going to do it he just said he could.

    **** the Homeland Security.

    im not even in the US
     
    pokhara67, Jul 9, 2007
    #3
  4. pokhara67 wrote:
    > On Jul 9, 3:13 pm, Rôgêr <> wrote:
    >
    >>pokhara67 wrote:
    >>
    >>>a colleague at work suggested he could write a Flash application which
    >>>could compromise a user's hard drive data.

    >>
    >>>is this possible ?

    >>
    >>Report your colleague to Homeland Security.

    >
    >
    > neo-con-nazi
    >
    > he didnt say he was going to do it he just said he could.
    >
    > **** the Homeland Security.
    >
    > im not even in the US


    Jeez, I've not been called a Nazi in a long time. You know that's one of
    the standards to judge how far a newsgroup thread has descended. But
    thanks for the fun, please tell all your friends about this group.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #4
  5. pokhara67 wrote:
    > a colleague at work suggested he could write a Flash application which
    > could compromise a user's hard drive data.
    >
    > is this possible ?


    In answer to your question (however intelligent that was) is yes. Flash
    files can be malicious. Hell, I can write a batch file that will do away
    with all your data. Would I be successful? Depends on how stupid you
    are. Would it propogate? Depends on how smart I am.

    You are posting through AOL, which would normally indicate a US address.
    However, I'll grant you, there are stupid people in other countries.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #5
  6. pokhara67

    pokhara67 Guest

    On Jul 9, 4:02 pm, Rôgêr <> wrote:
    > pokhara67 wrote:
    > > a colleague at work suggested he could write a Flash application which
    > > could compromise a user's hard drive data.

    >
    > > is this possible ?

    >
    > In answer to your question (however intelligent that was) is yes. Flash
    > files can be malicious. Hell, I can write a batch file that will do away
    > with all your data. Would I be successful? Depends on how stupid you
    > are. Would it propogate? Depends on how smart I am.
    >
    > You are posting through AOL, which would normally indicate a US address.
    > However, I'll grant you, there are stupid people in other countries.


    I know any kind of file can be malicious. I can program too.

    The question I should have posed was :

    Is it possible for a Flash Application to load in my browser (firefox
    on OSX and Linux ) and perform data reads/writes of my disk without my
    consent.


    ps
    AOL in the UK is an excellent and cheap service. 30 dollars per month
    for unlimited usage and no censorship - that I have noticed.

    The only minor annoyance is that they dont have any newsservers,

    Apart from that their ADSL service has never been down once in 4
    months.
     
    pokhara67, Jul 9, 2007
    #6
  7. pokhara67

    Guest

    , Jul 9, 2007
    #7
  8. wrote:
    > pokhara67 <> wrote:
    >
    >
    >>Is it possible for a Flash Application to load in my browser (firefox
    >>on OSX and Linux ) and perform data reads/writes of my disk without my
    >>consent.

    >
    >
    > Finding a flaw (buffer overflow) like this one
    > http://xforce.iss.net/xforce/xfdb/27601 and having it call Rôgêrs
    > batch file - yea; it's finding that flaw that's the hard part.


    Heh, I like the list of potential platforms affected. They didn't
    mention my Whirlpool microwave though.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #8
  9. pokhara67 wrote:
    > On Jul 9, 4:02 pm, Rôgêr <> wrote:
    >
    >>pokhara67 wrote:
    >>
    >>>a colleague at work suggested he could write a Flash application which
    >>>could compromise a user's hard drive data.

    >>
    >>>is this possible ?

    >>
    >>In answer to your question (however intelligent that was) is yes. Flash
    >>files can be malicious. Hell, I can write a batch file that will do away
    >>with all your data. Would I be successful? Depends on how stupid you
    >>are. Would it propogate? Depends on how smart I am.
    >>
    >>You are posting through AOL, which would normally indicate a US address.
    >>However, I'll grant you, there are stupid people in other countries.

    >
    >
    > I know any kind of file can be malicious. I can program too.
    >
    > The question I should have posed was :
    >
    > Is it possible for a Flash Application to load in my browser (firefox
    > on OSX and Linux ) and perform data reads/writes of my disk without my
    > consent.
    >
    >
    > ps
    > AOL in the UK is an excellent and cheap service. 30 dollars per month
    > for unlimited usage and no censorship - that I have noticed.
    >
    > The only minor annoyance is that they dont have any newsservers,
    >
    > Apart from that their ADSL service has never been down once in 4
    > months.


    I hereby humbly apologize for comments I made. You seem to have some
    smarts. But as a side note, you are posting through AOL and Google
    Groups. You are at a double disadvantage going into the conversation,
    but you've shown that you aren't typical. So my apology stands, if
    you're willing to accept it.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #9
  10. pokhara67

    pokhara67 Guest

    On Jul 9, 7:02 pm, Rôgêr <> wrote:
    > pokhara67 wrote:
    > > On Jul 9, 4:02 pm, Rôgêr <> wrote:

    >
    > >>pokhara67 wrote:

    >
    > >>>a colleague at work suggested he could write a Flash application which
    > >>>could compromise a user's hard drive data.

    >
    > >>>is this possible ?

    >
    > >>In answer to your question (however intelligent that was) is yes. Flash
    > >>files can be malicious. Hell, I can write a batch file that will do away
    > >>with all your data. Would I be successful? Depends on how stupid you
    > >>are. Would it propogate? Depends on how smart I am.

    >
    > >>You are posting through AOL, which would normally indicate a US address.
    > >>However, I'll grant you, there are stupid people in other countries.

    >
    > > I know any kind of file can be malicious. I can program too.

    >
    > > The question I should have posed was :

    >
    > > Is it possible for a Flash Application to load in my browser (firefox
    > > on OSX and Linux ) and perform data reads/writes of my disk without my
    > > consent.

    >
    > > ps
    > > AOL in the UK is an excellent and cheap service. 30 dollars per month
    > > for unlimited usage and no censorship - that I have noticed.

    >
    > > The only minor annoyance is that they dont have any newsservers,

    >
    > > Apart from that their ADSL service has never been down once in 4
    > > months.

    >
    > I hereby humbly apologize for comments I made. You seem to have some
    > smarts. But as a side note, you are posting through AOL and Google
    > Groups. You are at a double disadvantage going into the conversation,
    > but you've shown that you aren't typical. So my apology stands, if
    > you're willing to accept it.


    no probs. any thoughts on the security or otherwise of embedded flash
    applications ?
     
    pokhara67, Jul 9, 2007
    #10
  11. pokhara67 wrote:

    > no probs. any thoughts on the security or otherwise of embedded flash
    > applications ?


    I will from time to time allow flash events on my machine, as opposed to
    Active X (someone else was asking about its security). But I'd rather
    not have to have things running that can have a mind of their own. You
    have to trust the website author and I'm just not that trusting most of
    the time.
     
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 9, 2007
    #11
  12. pokhara67

    pokhara67 Guest

    On Jul 9, 11:23 pm, Rôgêr <> wrote:
    > pokhara67 wrote:
    > > no probs. any thoughts on the security or otherwise of embedded flash
    > > applications ?

    >
    > I will from time to time allow flash events on my machine, as opposed to
    > Active X (someone else was asking about its security). But I'd rather
    > not have to have things running that can have a mind of their own. You
    > have to trust the website author and I'm just not that trusting most of
    > the time.


    so what about something like this

    www.sankey-music.com

    it doesnt ask for permission to run it just runs.

    there appears to be nowhere in firefox to control the behaviour of
    adobe flash applications
     
    pokhara67, Jul 10, 2007
    #12
  13. pokhara67

    Guest

    pokhara67 <> wrote:

    >so what about something like this
    >
    >www.sankey-music.com
    >
    >it doesnt ask for permission to run it just runs.
    >
    >there appears to be nowhere in firefox to control the behaviour of
    >adobe flash applications


    Myself I don't care. There is a lot of good SWF files out (your
    robot); and I like to see what's out "there".

    I just keep the flash program updated, along with the other basic safe
    guards.

    If you want to disable flash you can do this within your browser or
    uninstall flash. FireFox - Tools/options/Content/File Types
    You can delete the entry or change how it is treated
    (Opera you can have it do nothing, not FireFox)

    A good practice is to use a HOSTS file, others have found the bad
    sites to an extent and you can add any you don't wish to access.
    http://someonewhocares.org/hosts/hosts - It will also keep you from
    reading all the spam/ads on websites.
    --

    A KKK Nightmare (photo)
    http://www.keithwhite.us/alabamaer.html
     
    , Jul 10, 2007
    #13
  14. pokhara67

    pokhara67 Guest

    On Jul 10, 7:43 am, wrote:
    > pokhara67 <> wrote:
    > >so what about something like this

    >
    > >www.sankey-music.com

    >
    > >it doesnt ask for permission to run it just runs.

    >
    > >there appears to be nowhere in firefox to control the behaviour of
    > >adobe flash applications

    >
    > Myself I don't care. There is a lot of good SWF files out (your
    > robot); and I like to see what's out "there".
    >

    it isnt mine, it belongs to a producer of trash-techno music

    > I just keep the flash program updated, along with the other basic safe
    > guards.
    >

    What are the basic safeguards were flash applications are concerned ?
    How do you prevent a flash application from behaving in a way you dont
    like ?
    Do flash applications have a builtin sandbox like java applets ?
     
    pokhara67, Jul 10, 2007
    #14
  15. pokhara67

    Guest

    pokhara67 <> wrote:

    >On Jul 10, 7:43 am, wrote:
    >> pokhara67 <> wrote:
    >> >so what about something like this

    >>
    >> >www.sankey-music.com

    >>
    >> >it doesnt ask for permission to run it just runs.

    >>
    >> >there appears to be nowhere in firefox to control the behaviour of
    >> >adobe flash applications

    >>
    >> Myself I don't care. There is a lot of good SWF files out (your
    >> robot); and I like to see what's out "there".
    >>

    >it isnt mine, it belongs to a producer of trash-techno music
    >
    >> I just keep the flash program updated, along with the other basic safe
    >> guards.


    >What are the basic safeguards were flash applications are concerned ?
    >How do you prevent a flash application from behaving in a way you dont
    >like ?



    Anti-virus, regprot, and a bit of hopeful trust in MS.

    MicroSoft writes a lot of corruptible code, to the point that SP2 has
    a new feature called DEP (Data Execution Prevention). If a file causes
    a buffer overflow DEP blocks the memory from being used, and killing
    the program.

    DEP is also a Hardware feature, Linux and OSX should be able to do the
    same. http://technet.microsoft.com/en-us/library/bb457155.aspx

    But really I don't worry about SWF files, in your case I wouldn't let
    this friend who made the claim near my computer :)

    >Do flash applications have a builtin sandbox like java applets ?

    In a way.
    www.adobe.com/devnet/flash/articles/fplayer8_security_04.html
    "This section describes the various local sandboxes into which SWFs
    are placed."

    --

    A KKK Nightmare (photo)
    http://www.keithwhite.us/alabamaer.html
     
    , Jul 10, 2007
    #15
  16. pokhara67

    pokhara67 Guest

    On Jul 10, 8:17 am, wrote:
    > pokhara67 <> wrote:
    > >On Jul 10, 7:43 am, wrote:
    > >> pokhara67 <> wrote:
    > >> >so what about something like this

    >
    > >> >www.sankey-music.com

    >
    > >> >it doesnt ask for permission to run it just runs.

    >
    > >> >there appears to be nowhere in firefox to control the behaviour of
    > >> >adobe flash applications

    >
    > >> Myself I don't care. There is a lot of good SWF files out (your
    > >> robot); and I like to see what's out "there".

    >
    > >it isnt mine, it belongs to a producer of trash-techno music

    >
    > >> I just keep the flash program updated, along with the other basic safe
    > >> guards.

    > >What are the basic safeguards were flash applications are concerned ?
    > >How do you prevent a flash application from behaving in a way you dont
    > >like ?

    >
    > Anti-virus, regprot, and a bit of hopeful trust in MS.
    >
    > MicroSoft writes a lot of corruptible code, to the point that SP2 has
    > a new feature called DEP (Data Execution Prevention). If a file causes
    > a buffer overflow DEP blocks the memory from being used, and killing
    > the program.
    >


    Thanks but I dont use M$

    > But really I don't worry about SWF files, in your case I wouldn't let
    > this friend who made the claim near my computer :)
    >

    well if hes on my computer he wouldnt need a flash application.

    > >Do flash applications have a builtin sandbox like java applets ?

    >
    > In a way.www.adobe.com/devnet/flash/articles/fplayer8_security_04.html
    > "This section describes the various local sandboxes into which SWFs
    > are placed."
    >

    ok, now we are getting somewhere.
    i must admit i dont understand that security model at all.
     
    pokhara67, Jul 10, 2007
    #16
  17. pokhara67

    Guest

    pokhara67 <> wrote:

    >a colleague at work suggested he could write a Flash application which
    >could compromise a user's hard drive data.
    >
    >is this possible ?


    It is now, you need to update your version if your still reading this
    thread.

    http://www.adobe.com/support/security/bulletins/apsb07-12.html

    to list your version
    http://www.adobe.com/products/flash/about/


    --
    Pagans are not happy about an enormous Homer Simpson
    painted near an ancient image.
    www.boingboing.net/2007/07/16/pagans_displeased_wi.html
     
    , Jul 17, 2007
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mary
    Replies:
    2
    Views:
    450
    °Mike°
    Oct 25, 2004
  2. Pavel Aronovich
    Replies:
    0
    Views:
    554
    Pavel Aronovich
    Feb 22, 2004
  3. sharonf

    Adobe Flash Player 8

    sharonf, Nov 18, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    935
    sharonf
    Nov 18, 2006
  4. Replies:
    0
    Views:
    607
  5. Replies:
    0
    Views:
    716
Loading...

Share This Page