[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTinkCvzFWT8HjGGn5_pQ13d0bi6GVyhbATBNEg24@mail.gmail.com>
Date: Thu, 23 Dec 2010 21:57:51 -0500
From: Jeffrey Walton <noloader@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
again!
However, with the debut of HTML 5, we're finding that video is being
offloaded to <video> and open codecs are being integrated into browsers.
Further, HTML 5's media capabilities are making flash cumbersome.
Not to resurrect a dead thread, but Microsoft's Silverlight applied a lot of
lessons from Flash: BlueHat v9: RIA Security: Real-World Lessons from Flash
and Silverlight, http://technet.microsoft.com/en-us/security/video/ee834904.
At least some folks are learning from Adobe's mistakes.
Jeff
On Sun, Dec 19, 2010 at 7:56 PM, Victor Rigo <victor_rigo@...oo.com> wrote:
> Concurred. No file format is as obnoxious as SWF.
>
> However, with the debut of HTML 5, we're finding that video is being
> offloaded to <video> and open codecs are being integrated into browsers.
> Further, HTML 5's media capabilities are making flash cumbersome.
>
> Try disabling flash extension on Firefox and enjoy real internet.
>
> Victor Rigo, CISSP
> Independent Computer Security Consultant
> Buenos Aires, AR
> +5411-4316-1901
>
> --- On *Sun, 12/19/10, Christian Sciberras <uuf6429@...il.com>* wrote:
>
>
> From: Christian Sciberras <uuf6429@...il.com>
> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
> again!
> To: "Marsh Ray" <marsh@...endedsubset.com>
> Cc: "Victor Rigo" <victor_rigo@...oo.com>,
> full-disclosure@...ts.grok.org.uk
> Date: Sunday, December 19, 2010, 9:25 PM
>
>
> "Personally, I kind of like Flash. It gives me a single kill switch for
> 90% of the useless blinking crap and popups on the internet. Flash is a
> really appropriate name for exactly what I don't want to see on a web
> page. I hope it remains the platform of choice for those who develop
> such things." - Marsh Ray
>
> I'll keep using that quote till I die...
>
>
>
>
> On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray <marsh@...endedsubset.com<http://mc/compose?to=marsh@extendedsubset.com>
> > wrote:
>
> On 12/18/2010 05:30 PM, Victor Rigo wrote:
> > Let's see, flash is:
> >
> > - Cross-platform
> > - Cross-architecture
> > - Has it's own programming language
> > - Is embedded on websites
> > - Access to javascript to popup, local caches, etc.
>
> Not on my machine?
>
> > It's not ineptness, it's what you get when you right software that can
> > actually do stuff.
>
> Adobe comes from a time when you could write PC software without caring
> about security. Yeah, it was a heck of a lot easier to write just about
> anything back then because it was well and proper that anything could do
> anything.
>
> Nowdays, the first questions after "hey our software could do this" must
> be "but should it do that? What else could someone leverage that new
> capability to do? How does it combine with every other feature in our
> app or even on the whole platform? What if somebody does it repeatedly
> in a tight loop? With pathological inputs?" and so on. These questions
> take a long time to answer.
>
> So if a vendor is known for "letting app developers do more stuff" and
> not also known for "letting users control what stuff gets done on their
> own machines" then they are laggards, not leaders, in my view.
>
> > If Java applets were still the hip thing, you'd see the same thing about
> > that.
>
> There's undoubtedly some truth to that. But at the same time, it doesn't
> seem like a useful line of reasoning:
>
> * It's still not an argument for using Flash.
>
> * That Java plugins have had chronic security bugs doesn't mean that
> Flash doesn't suck too.
>
> * You seem to imply that you don't think that Adobe is likely to secure
> Flash any time soon. You're not saying "Adobe will secure Flash in the
> next patch and then it will be great." But you listed all the great
> stuff it does, so I have to think you would have said something like
> that if you believed it. You may be making Flash look worse than it is.
>
> * It's basically an "appeal to futility" argument: no one could make a
> development platform and browser plugin that is significantly more
> secure (or does a better job of managing the security vs. "doing stuff"
> trade off) so therefore we should accept the status quo. That's why it's
> not useful: it gives no guidance on directions in which to improve.
>
> Personally, I kind of like Flash. It gives me a single kill switch for
> 90% of the useless blinking crap and popups on the internet. Flash is a
> really appropriate name for exactly what I don't want to see on a web
> page. I hope it remains the platform of choice for those who develop
> such things.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists