[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash] spyware buried in Flash movies
|
From: |
Alias |
|
Subject: |
Re: [Gnash] spyware buried in Flash movies |
|
Date: |
Mon, 30 Jan 2006 20:38:48 +0000 |
On 1/30/06, strk <address@hidden> wrote:
> On Mon, Jan 30, 2006 at 05:10:30PM +0000, Alias wrote:
>
> > A flash movie can be made to execute many more requests in a shorter
> > amount of time than a regular html page. It would be pretty trivial to
> > waste a *lot* of other people's bandwidth if you could get a malicious
> > flash movie up on a high traffic site.
>
> Same with javascript...
And the potential for, and existence of, malicious scripts in
Javascript has been well documented.
> > Remember, flash can load other scripted content into itself. Flash
> > isn't just loading GIFs & Jpegs the same way as a web page is, it's
> > loading *executable bytecode*. This is the substantial difference
> > between being able to load images and sounds. Do you really want the
> > ability for untrusted parties to be able to execute bytecode on your
> > machine?
>
> Do you trust all sites you visit ?
> What prevents your browser from loading and playing a movie
> embedded in a web page ?
> The cross-domain.xml thing we're talking about is not there
> to allow *you* (the computer owner) to decide what to load
> and what not. It doesn't give *you* this choice.
> Rather, it is there to allow a movie publisher to decide
> who can or cannot load it, based on the loading movie's url.
The point is that it prevents the *author* from creating malicious
scripting content. It's not about restricting the user's choice. It's
easy to get around via a server side proxy script anyway - a few lines
of PHP is all it takes. Weigh that against the potential for misuse.
> > Essentially, I suspect that relaxing the security sandbox would create
> > a new breed of script kiddies, and potentially more sinister spyware
> > and viruses. The current restrictions allow legitimate operations,
> > while making abuse extremely difficult. I would be very cautious about
> > changing this.
>
> The current restriction disallows loading a public jpeg from a movie,
> unless that jpeg publisher explicitly wrote the IP from which that
> movie has been loaded. Isn't this a legitimate use ?
>
Generally, if you are using someone else's images, without their
consent, that's bandwidth theft. It's not *illegal* but it's bad
etiquette.
There are lots of potentially legitimate uses for pop-ups too, and
look how popular they are. Flash is easy enough to use for evil as it
is - don't make it easier.
Alias
- Re: [Gnash] spyware buried in Flash movies, (continued)
- Re: [Gnash] spyware buried in Flash movies, Claus Wahlers, 2006/01/26
- Re: [Gnash] spyware buried in Flash movies, Rob Savoye, 2006/01/26
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/27
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/27
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/28
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/30
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/30
- Re: [Gnash] spyware buried in Flash movies,
Alias <=
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/31
- Re: [Gnash] spyware buried in Flash movies, Alias, 2006/01/31
- Re: [Gnash] spyware buried in Flash movies, strk, 2006/01/31
Re: [Gnash] spyware buried in Flash movies, Nicolas Cannasse, 2006/01/27