lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 19 Dec 2010 14:32:08 -0600
From: Marsh Ray <marsh@...endedsubset.com>
To: Victor Rigo <victor_rigo@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
 again!

On 12/18/2010 05:30 PM, Victor Rigo wrote:
> Let's see, flash is:
>
> - Cross-platform
> - Cross-architecture
> - Has it's own programming language
> - Is embedded on websites
> - Access to javascript to popup, local caches, etc.

Not on my machine?

> It's not ineptness, it's what you get when you right software that can
> actually do stuff.

Adobe comes from a time when you could write PC software without caring 
about security. Yeah, it was a heck of a lot easier to write just about 
anything back then because it was well and proper that anything could do 
anything.

Nowdays, the first questions after "hey our software could do this" must 
be "but should it do that? What else could someone leverage that new 
capability to do? How does it combine with every other feature in our 
app or even on the whole platform? What if somebody does it repeatedly 
in a tight loop? With pathological inputs?" and so on. These questions 
take a long time to answer.

So if a vendor is known for "letting app developers do more stuff" and 
not also known for "letting users control what stuff gets done on their 
own machines" then they are laggards, not leaders, in my view.

> If Java applets were still the hip thing, you'd see the same thing about
> that.

There's undoubtedly some truth to that. But at the same time, it doesn't 
seem like a useful line of reasoning:

* It's still not an argument for using Flash.

* That Java plugins have had chronic security bugs doesn't mean that 
Flash doesn't suck too.

* You seem to imply that you don't think that Adobe is likely to secure 
Flash any time soon. You're not saying "Adobe will secure Flash in the 
next patch and then it will be great." But you listed all the great 
stuff it does, so I have to think you would have said something like 
that if you believed it. You may be making Flash look worse than it is.

* It's basically an "appeal to futility" argument: no one could make a 
development platform and browser plugin that is significantly more 
secure (or does a better job of managing the security vs. "doing stuff" 
trade off) so therefore we should accept the status quo. That's why it's 
not useful: it gives no guidance on directions in which to improve.

Personally, I kind of like Flash. It gives me a single kill switch for 
90% of the useless blinking crap and popups on the internet. Flash is a 
really appropriate name for exactly what I don't want to see on a web 
page. I hope it remains the platform of choice for those who develop 
such things.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ