gnash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash] spyware buried in Flash movies

From: strk
Subject: Re: [Gnash] spyware buried in Flash movies
Date: Mon, 30 Jan 2006 20:52:45 +0100 
On Mon, Jan 30, 2006 at 05:10:30PM +0000, Alias wrote:

> A flash movie can be made to execute many more requests in a shorter
> amount of time than a regular html page. It would be pretty trivial to
> waste a *lot* of other people's bandwidth if you could get a malicious
> flash movie up on a high traffic site.

Same with javascript...

> Remember, flash can load other scripted content into itself. Flash
> isn't just loading GIFs & Jpegs the same way as a web page is, it's
> loading *executable bytecode*. This is the substantial difference
> between being able to load images and sounds. Do you really want the
> ability for untrusted parties to be able to execute bytecode on your
> machine?

Do you trust all sites you visit ?
What prevents your browser from loading and playing a movie
embedded in a web page ?
The cross-domain.xml thing we're talking about is not there
to allow *you* (the computer owner) to decide what to load
and what not. It doesn't give *you* this choice.
Rather, it is there to allow a movie publisher to decide
who can or cannot load it, based on the loading movie's url.

> Essentially, I suspect that relaxing the security sandbox would create
> a new breed of script kiddies, and potentially more sinister spyware
> and viruses. The current restrictions allow legitimate operations,
> while making abuse extremely difficult. I would be very cautious about
> changing this.

The current restriction disallows loading a public jpeg from a movie,
unless that jpeg publisher explicitly wrote the IP from which that
movie has been loaded. Isn't this a legitimate use ?

--strk;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]