Adobe Flash Player GOOD? BAD?

Discussion in 'other security issues & news' started by flinchlock, May 19, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock
    Offline

    flinchlock Registered Member

    When I go to some sites, Firefox says, "Additional plugins are required to display all media on this page."

    Per http://en.wikipedia.org/wiki/Adobe_flash Wikipedia...
    I have NoScript, and on the Options > Advanced > Untrusted tab, there is a "Forbid Macromedia Flash" restriction option. The default is not checked.

    Any advice...
    Flash... GOOD? BAD?
    NoScript... check ""Forbid Macromedia Flash" YES? NO?

    I can not seem to find a definitive answer if Flash is or is not OK.

    Mike
  2. fixmypcmike
    Offline

    fixmypcmike Registered Member

    I would say that Flash Player is like a number of multimedia programs, such as QuickTime, Winamp, RealPlayer, etc., that are under constant attack these days. Most people have them and don't think about them, are used to clicking on videos in web pages, and don't patch them the way they're used to patching things like OS's, web browsers, and MS Office. It's hard to do without them these days (although there are options like QT Alternative and Real Alternative), but you need to keep up on patches.
  3. flinchlock
    Offline

    flinchlock Registered Member

    Yes, I do keep up on patches.

    I am also probably the only person on the planet that uses NoScript and my whitelist only has wilderssecurity.com... I sparingly use temp allow.

    Mike
  4. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    Flash Player in itself is not good or bad. It just is. As to the content, the same rule applies as to programs and such. Run only files that you feel are ok.
    Mrk
  5. flinchlock
    Offline

    flinchlock Registered Member

    True...Thanks

    When you spend a lot of time here on Wilders, I start to not even trust my brain.exe. :eek:

    Mike
  6. Rmus
    Offline

    Rmus Exploit Analyst

    Ditto to Mrk.

    Most browsers have some ways to deal with flash objects. One of Opera's ways is to insert a placeholder where the .swf object appears on the screen. Then, you can make a decision. To run, just click on the placeholder

    Some sites use flash for advertising (my biggest gripe: I'm not opposed to adverts, just the animated ones, so I block them)

    The same site may use flash for multimedia presentations, such as csmonitor.com:

    Advertisement:

    http://www.urs2.net/rsj/computing/imgs/flash-1.gif
    ___________________________________________________________________

    Multimedia presentation:

    http://www.urs2.net/rsj/computing/imgs/flash-2.gif
    ____________________________________________________________________

    Choosing whether or not to run the file, or download a flash video: Your trust of the site would be the most important factor. Scanning the file may or may not flag an infected file.

    And, there is the possible remote code execution attempt.

    The exploits that have been identified point to the usual type of executing a payload, easily prevented:

    Conclusion: low threat level.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  7. ThunderZ
    Offline

    ThunderZ Registered Member

    If running Firefox then I would suggest Flashblock. Does for FF what Opera has already built in.
  8. elio
    Offline

    elio Registered Member

    NoScript does it as well, and it blocks all the other nasties too.

    btw, I bet the most technical-minded of yours will love these slides :)
  9. flinchlock
    Offline

    flinchlock Registered Member

    Just great, more scary stuff. :eek:

    In my first post I asked if I should forbid Flash in Untrusted sites... Yes or No?

    Which is it better...
    1) to allow Flash in a untrusted site, or
    2) Temporarily Allow the untrusted site?

    Mike

    P.S. Love your signature!
  10. elio
    Offline

    elio Registered Member

    Yes.
    The best is to temporarily allow just the Flash movie you need to watch by left-clicking on the NoScript placeholder. This choice will be remembered for the current tab.

    Generally speaking, security is a matter of reducing the attack surface and always giving away only the privileges needed to do the work, nothing more than those, for the minimum timespan.
    So if you need a specific Flash movie to play, why enabling the whole site or Flash everywhere, forever, when you can enable just the movie you want and leave the rest alone?

    Sometimes a Flash movie can't work if JS is disabled on the page. If this is the case (and the content is really worth), just temporarily allow the site.

    Notice that a recent addition to NoScript is the noscript.contentBlocker preference, which extends the content restrictions for Java, Flash and other plugins to trusted sites as well, sort of FlashBlock on steroids.

    My signature loves you back :)
  11. flinchlock
    Offline

    flinchlock Registered Member

    Thanks... done/forbid. I also forbid "other plugins".

    I had forgotten that.

    Yup, I only sparingly use Temporarily Allow JS.

    OK

    OK

    I currently only have wilderssecurity.com on my white list. Yes, I know it does not required it, but I like the site navigation better with it. I think I will still use noscript.contentBlocker just in case I do add a few more white sites.

    I am currently reading http://www.adobe.com/products/flashplayer/security/ about...
    1) A local shared object, sometimes referred to as a "Flash cookie"
    2) A third-party local shared object, sometimes referred to as a "third-party Flash cookie"

    Yikes, Flash can use my Microphone and Camera! http://www.macromedia.com/support/documentation/en/flashplayer/help/help05.html

    Mike
    Last edited: May 19, 2007
  12. Rmus
    Offline

    Rmus Exploit Analyst

    Thanks for this. It is a very clearly-presented and understandable paper - even a non-programmer like myself can follow it!

    Well, yes and no. Scary, because the potential for abuse of the code is laid out. But this is becoming very common for more and more applications. In this paper, the authors comment,

    Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation
    http://infosecon.net/workshop/pdf/telang_wattal.pdf

    In theory, the only safe computer is that which is unplugged (courtesy of bigC). But we want to use our computer and its software, including Flash. So, while reading about flaws in our software can be disconcerting, looking carefully at what their impact is helps lead to solutions for their safe use.

    The best way is to analyze known exploits. With Flash, as I mentioned in my above post, the only analyses I've found published reveal a tried and successful, yet easily blocked attack: the downloading of a trojan.

    With respect to the various techniques presented in Stefano Di Paola's paper on Testing Flash Applications, no instances of use of these in the wild were given, so I emailed him and asked a few questions. He replied that he was not aware of any exploits in the wild of Flash objects using these techniques.

    Preventative measures for using Flash, then include

    1) starting with the browser's features to control displaying of Flash objects, as have been mentioned in this thread

    2) user's decision whether or not to run a Flash object: trustworthiness of the site, etc.

    3) protection place behind the browser to block the known methods of attack.

    Having a strategy in place to deal with a situation like this gives us the freedom and confidence to use the software we want.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
Thread Status:
Not open for further replies.