[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash] spyware buried in Flash movies
|
From: |
Alias |
|
Subject: |
Re: [Gnash] spyware buried in Flash movies |
|
Date: |
Mon, 30 Jan 2006 17:10:30 +0000 |
Hi Strk,
There are many potential exploits that flash could be used for (large
scale DOS, phishing, password theft, etc) that could be executed via
flash. Opening up the security model is just asking for trouble. Up
until now, it has largely prevented the creation of flash viruses, and
scripting attacks. The only potentially contentious aspect of flash is
its use of LSOs, which are basically just another implementation of
cookies.
A flash movie can be made to execute many more requests in a shorter
amount of time than a regular html page. It would be pretty trivial to
waste a *lot* of other people's bandwidth if you could get a malicious
flash movie up on a high traffic site.
Remember, flash can load other scripted content into itself. Flash
isn't just loading GIFs & Jpegs the same way as a web page is, it's
loading *executable bytecode*. This is the substantial difference
between being able to load images and sounds. Do you really want the
ability for untrusted parties to be able to execute bytecode on your
machine?
Essentially, I suspect that relaxing the security sandbox would create
a new breed of script kiddies, and potentially more sinister spyware
and viruses. The current restrictions allow legitimate operations,
while making abuse extremely difficult. I would be very cautious about
changing this.
Thanks,
Alias
On 1/28/06, strk <address@hidden> wrote:
> On Fri, Jan 27, 2006 at 10:29:55AM +0000, Alias wrote:
> > On 1/27/06, strk <address@hidden> wrote:
> ...
> > > My vote is for happily disreguard this and not implement
> > > cross-domain (in)security model as a whole. As an alternative
> > > we might make this a user setting, just to allow people to
> > > test their movies in 'MM-compatible' mode.
> > >
> >
> > The security model is there for good reason. I would be very cautious
> > about altering it.
>
> Can you explain these reasons ?
>
> --strk;
>
> +----------------------------------------+
> | Fight against software patents in EU! |
> | www.ffii.org www.nosoftwarepatents.org |
> +----------------------------------------+
>
>
>
> _______________________________________________
> Gnash mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnash
>
- [Gnash] spyware buried in Flash movies, Rob Savoye, 2006/01/26
- Re: [Gnash] spyware buried in Flash movies, Claus Wahlers, 2006/01/26
- Re: [Gnash] spyware buried in Flash movies, Rob Savoye, 2006/01/26
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/27
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/27
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/28
- Re: [Gnash] spyware buried in Flash movies,
Alias <=
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/30
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/31
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/31
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/31
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/31
Re: [Gnash] spyware buried in Flash movies, Nicolas Cannasse, 2006/01/27