Beware of what you click on - Flash Ads

Discussion in 'other security issues & news' started by Compu KTed, Jun 29, 2014.

Thread Status:
Not open for further replies.
  1. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Most rich ads are built with Adobe Flash, a technology that allows ads to be animated, play sounds, and that can be interacted with.
    There are certain strings/functions in Flash that are deemed potentially dangerous.

    • Loader
    • ExternalInterface
    • navigateToURL
    • currentDomain
    • loadBytes

    Perhaps we tend to forget sometimes that Flash ads are actually applications which can perform certain undesired actions.
    One of them is redirecting the browser to a potentially harmful site.

    To protect against this type of threats you may wish to disable Flash...

    More info from Malwarebytes Unpacked June 2014 archives. (double-dipping advertising network)
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've set my preferences for all Chrome plugins to "Click to play". Ads in Flash are never loaded, since plugins is not automatically activated. One additional click to play videos is not much trouble to me.
     
  3. guest

    guest Guest

    I'm starting to wonder if I really need Flash Player. I only use it on YT and there's a Chrome extension that forces videos to use HTML5 (albeit not perfect). Maybe I should just disable it permanently and stop bothering with its vulnerabilities. I don't know if it will interfere with the update mechanism though.
     
  4. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    HTML5 Canvas

    https://wiki.mozilla.org/Fingerprinting

    client-Side: HTML5 Canvas Fingerprinting (my test results - javascript enabled & disabled)

    Javascript enabled
    Canvas Support in Your Browser:
    Canvas (basic support) True
    Text API for Canvas True

    Your Fingerprint:
    Found in DB True
    General Conclusion It is very likely that you are using [browser] on [OS]

    NOTE: All other headings not listed here contain info

    Javascript disabled
    Canvas Support in Your Browser:
    Canvas (basic support) × False
    Text API for Canvas × False

    Your Fingerprint:
    Found in DB (blank)
    General Conclusion (blank)

    NOTE: All other headings not listed here are (blank)

    https://www.browserleaks.com/canvas

    Client-side: Flash Player System Capabilities

    I will try to do Flash Player results later.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Last edited: Jun 29, 2014
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Client-Side: Flash Player System Capabilities

    Latest Flash Player plugin installed (non-I.E.)
    click-to-play enabled
    Always Activate
    Javascript enabled

    Flash Detection:
    Flash Player Enabled? ! True
    Click-To-Play Placeholder True

    Shockwave Flash: (info revealed for version & filename)
    Flash Plug-In Environment: (info revealed in all 11 categories)
    Networking:
    IP Address via URLLoader (info revealed)

    Other Capabilities:
    (25 categories listed with mixture of True × False & ? undefined

    NOTE: Browser reveals much info when flash is installed and javascript enabled.
    I image this would increase my "browser fingerprint".

    NOTE: Just by disabling javascript with flash installed my results are:

    JavaScript Disabled — cannot deploy Flash object (It's just for the Demo, in fact Flash can work without JavaScript)

    Flash Detection:
    Flash Player Enabled? × Disabled
    Click-To-Play Placeholder ? n/a

    All other heading categories listed as (undefined)

    If I disable Flash Player plugin (never activate) & enable javascript my results are similar:
    Flash Detection:
    Flash Player Enabled? × False-Flash Plug-In Does Not Exist
    Click-To-Play Placeholder ? n/a

    All other heading categories listed as (undefined)

    http://www.browserleaks.com/flash
     
    Last edited: Jun 30, 2014
  7. guest

    guest Guest

    This is way beyond my knowledge level, so pardon my silly mumblings, but isn't Flash Player has more vulnerabilities which means not installing Flash will practically eliminate the Flash-related threats? At least from what I can understand so far, HTML5 is better than Flash from security point of view.

    Please correct my statement above if it's wrong. :doubt:
     
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    HTML5 and Security
    on the New Web
    Promise and problems for privacy and security

    sophos

    Reducing reliance on third-party plugins such as Flash and Silverlight both of which have had
    their share of exploits would be good, however implementing HTML5 doesn't guarantee you'll
    be immune from web vulnerabilities.

    When I do use Flash I avoid running it in an administrator account, change some settings and run the
    browser sandboxed. If I can play a video without using it I do that.
     
  9. guest

    guest Guest

    @Compu KTed

    Thanks for the link, bookmarked it. :thumb:

    At least HTML5 is not a separated plugin, which will make it easier for web browser developers to limit the possible damage that can happen.
     
  10. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @GrafZeppelin

    You're welcome. Let's hope for good coders that understand & implement "security measures" as a top priority.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.