Unfortunately it's really complicated but the author maintains ( and shows ), that when a server sends an Adobe Flash object to a users browser, that object can execute code that's in a file in the originating domain, regardless of whether the file is a flash object. The executing flash object may not even have to be a flash object, it can be something else, like an image.
This opens up the web to a ton of attacks. Basically, any web site that allows file uploads ( like photo sites ), can only be partially resistant to this of they have a different domain for user uploaded content. So pbase.com would need to move all their files to pbase-img.com, or something similar. Some big sites like Yahoo are already doing this.
That means its bad news because it's really hard for anyone to fix other than Adobe, and the worse news is that Adobe says it's not their problem.
What's a poor user to do?
It's easy for a Security Goon to say:
- Use Firefox. I already do this, as does my wife and kids. Really.
- Use the NoScript add-on. I do this, but haven't got my wife or kids started(yet). This prevents flash from most sites, unless manually turned on. (I gotta pay him something). It's brilliant and improves the net experience if only because I haven't seen punch the monkey in years.
- According to a comment in the above referenced article it's even better if you run the FlashBlock extension. This sounds good but I haven't tried it yet
Perry
No comments:
Post a Comment