(unknown?) dangers of Flash

Discussion in 'other security issues & news' started by Fly, Oct 24, 2008.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I have used version 9 of the Adobe Flash player for some time.
    (I also configured the security settings, but I didn't think to instruct the software to NOT check for a new version)

    Today, I suddenly (without using a web page or an application that uses Flash) get this 'little' box on my screen, asking me if I want to install the new version (presumably version 10). There was no way to get rid of that except to access that graphical display.

    So Flash can just jump through my firewall ! (I have outbound, but not leaktest-proof, protection)

    I have no idea how it did that. I currently use McAfee's Virusscan Plus as an interim solution, and it went straight through its firewall (configured for strict outbound control) There was no such thing as a program authorization for anything remotely called Flash. The McAfee firewall isn't great for outbound protection, but it blocks most things.

    I suppose the lesson of this is that Flash is a greater vulnerability than I (we?) thought.

    Any comments ? These days, using the internet without Flash is about (?) the same thing as not using javascript.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    No danger there. No difference than any other software updater.
    And it did not bypass your firewall - it simply uses the web protocol to connect, through your browser. Nothing special here.
    Mrk
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,921
    Location:
    U.S.A.
    Yes, I agree with Mrkvonic, since the browser is granted permission via a firewall setting and the Flash player becomes a add-on component of that browser, the user would never receive any notifications.

    The one thing I have noticed is that each new version tweaks the Settings Manager anew, resetting the player to Default (Check for updates every 30 days). Then, if you forget to tweak it, surprise!

    BTW, for new Wilders visitors and readers of this thread, you can check to see if you have the current Flash and Shockwave player versions here: Test Adobe Shockwave & Flash Players.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Lately i been getting the same update notice box. If it disturbs you simply use Task Manager to close it out. Later on at your own convenience you can update ADOBE FLASH to the new version 10, because thats what all the intrusion is about. It ticked me off you couldn't cancel that silly alert normally, so i killed it with Task Manager. Later i manually downloaded version 10's installer because i might be busy at the time or simply choose to install it another time of my own choosing. YOU CONTROL YOUR OWN MACHINE.
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    If I look at it that way, there is a lot of XSL and XML and some other stuff that can have outbound access that way !
    I don't think I was looking at a page that had Flash on it, so just because it's on the list of add-ons that can be executed without permission it can do all that ? (IE 7)
    I guess that shows that Windows XP is a truly insecure OS.
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Btw, are there any disadvantages regarding upgrading to version 10 (from 9), especially regarding security/privacy ? I know there is a lot of text available about the new upgrade, but I don't want to make it a study project !

    (Windows XP Home Edition IE 7)
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,921
    Location:
    U.S.A.
    Actually, the IE browser is the one that's unsafe because it is the major conduit (besides email) for any Windows OS to be compromised. Also the reason why more people are moving to Firefox and Opera, since these browsers are not intricately connected to the OS as IE is. And while these other browsers also have add-ons, they are better controlled by the user.

    The reason why Adobe updated its Flash player to version 10 was due to a vulnerability regarding Clickjacking, which has been discussed here at Wilders. If the player is not upgraded, the old version is vulnerable to this exploit, if using IE. Both Opera and Firefox (with the NoScript add-on) are not vulnerable, even with the old Flash player version 9.

    Flash Player update available to address security vulnerabilities
     
Loading...
Thread Status:
Not open for further replies.