OT - Flash Vulnerablity / Uploads - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » OT - Flash Vulnerablity / Uploads

Page 1 of 1

1

Topic Options

#196694 - 2009-11-13 11:39 PM OT - Flash Vulnerablity / Uploads
Allen Allen KiX Supporter Registered: 2003-04-19 Posts: 4567 Loc: USA	Don't know if you guys have seen this... but this doesn't look good. Looks like there is a "Unfixable" bug that would allow a hacker to post a rigged/malicious flash file on any website that allows uploads, and anyone with a unpatched version of flash would be infected upon loading the flash. The author is suggesting disabling uploads of all untrusted files, including files like avatars. Wow. He goes on to say the only real fix is to remove Adobe Flash from your system. This is the article I started with... http://www.computerworld.com/s/article/9...17&pageNumber=1 And this is the the guy who found it's blog. http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
Top

#196695 - 2009-11-14 01:23 AM Re: OT - Flash Vulnerablity / Uploads [Re: Allen]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4402 Loc: New Jersey	And people called me paranoid for refusing to install Flash on my primary workstation... $\:\)$ _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#196697 - 2009-11-14 08:04 PM Re: OT - Flash Vulnerablity / Uploads [Re: Glenn Barnas]
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 81 Loc: Indian Head, Maryland, USA	I'll second that. Adobe Flash and Shockwave players, Reader, Pro, etc. have become increasingly important to keep up to date and also increasingly difficult. (Heck, Cold Fusion is no cake walk either to install or maintain.) After installing the latest and greatest Flash or Shockwave player its common place for websites hosting Flash content to claim you need to "upgrade". I don't know what is going on with those coding Flash and its ability/inability to handle accurate version detection. Something is out of whack. This past week Adobe finally released the current "patched' version of Shockwave player in .msi format, one week after announcing there were vulnerabilities in earlier versions and only releasing the single instance web-based install and the .exe version both containing an opt-out Google Toolbar which is unsuitable for enterprise deployment. Having fought with past versions of Adobe Pro and Reader corrupting reg keys and/or file permissions and thereby complicating maintenance of those apps my patience is thin. I wish my Agency would seriously consider alternatives. Now that these plug-ins have been and are getting targeted for exploits more frequently its all the more important to have rapid releases, robust upgrade paths and mechanisms in place. Based on my experience with this vendor so far I will be surprised if they are up to it. Sorry to rant but I am beyond paranoid myself. _________________________ mole Who is John Galt?
Top

#196698 - 2009-11-15 03:38 AM Re: OT - Flash Vulnerablity / Uploads [Re: mole]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4402 Loc: New Jersey	So, Mole - tell us how ya really feel! $\:D$ Teasing aside, I totally agree. Unrelated add-ons (like Google Toolbar) have no place in application installers designed for enterprise environments. It's especially annoying coming from Adobe, since you must "license" their installer if you want to do internal corporate deployments. Arrgh! I just went through the licensing process and downloaded Flash and Shockwave this week, but haven't actually tested them yet.. I guess I have something to look forward to, eh? Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#196721 - 2009-11-16 08:40 PM Re: OT - Flash Vulnerablity / Uploads [Re: Glenn Barnas]
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 81 Loc: Indian Head, Maryland, USA	Glenn, It will test you. The .msi installer for Flash or Shockwave enterprise use should be free of third party junk like Google toolbar. What happened was they delayed getting the .msi out after a published vulnerability and after the .exe with Google bundled had been out already for a week which was too long to hold the .msi back IMO. I can't understand why Adobe would ignore enterprise customers. Make sure the versions you got when you applied for your "license" are the versions you want (hopefully the latest version so they are minimally supposedly least vulnerable but that won't last). The procedure they have is a pain. If you can keep back leveled versions of these "pests" off of your enterprise you are ahead of the game. Still its good to look for and remove (as in search and destroy) any but the current versions you want to support in your production environment. If you can get the previous version(s) out and the new version you want in all in one step, good for you. Its a big YMMV. I find making sure there are not current browser sessions open is essential and sometimes a reboot is required to make sure of a clean sweep. Sometimes the *.ocx files associated with Flash versions get locked so even the uninstaller could not remove them. Don't know if its a browser config or what. Deleting won't work for the locked files but renaming then deleting the renamed files on next reboot seems to work. This behavior is not 100% of the time and I have not the time to research it. I guess what I am telling you is don't just assume that all traces of prior versions are gone if you pedantically remove the previous version and install the latest. Check then check it again! As usual it pays to be thorough and is what leads to grey hair, EtOH consumption, etc. _________________________ mole Who is John Galt?
Top

#197039 - 2009-12-09 10:55 AM Re: OT - Flash Vulnerablity / Uploads [Re: mole]
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 81 Loc: Indian Head, Maryland, USA	Applying to retrieve the latest "Flush" security update (10.0.42.34) nets this response: Quote: Thank you for your request Your e-mail address has been verified. We will now process your application to distribute Adobe®Flash® Player. You will receive an e-mail shortly (but not longer than three working days in the case on a standard application) informing you of our decision. _________________________ mole Who is John Galt?
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1183 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.138 seconds in which 0.114 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking