Monday, November 16, 2009

Windows-like Flash 'sploit Found, Adobe Says No Fix Forthcoming

[UPDATE: Adobe's douchebag-in-resident blogga Dowdell gloats that the 'issue has been retired' by SecurityFocus. Like that matters. Foreground Security, once again, doesn't fall for the bull, and even has to dumb it down so that the poor fools can understand.]

Remember when Adobe meant quality? Seems those days are LONG GONE. Seems like when they were copying Javascript, they didn’t quite get local domain policy quite right for their little “ubiquitous” web plugin cum ‘web platform’.

Kudos to Adobe UI Gripes for really getting it:

Face facts Adobe, your “RIA platform” is in reality just a codec for looking at videos of funny dogs on YouTube, thats what 80% of people use it for, thats what you should focus on making actually work on all platforms.
[From Adobe UI Gripes]

And now we have a variant of the GIFAR attack, and the vector for the attack is a “ubiquitous” buggy plugin that’s in every browser on Mac / Windows and Linux. GIFAR, which has been fixed by Sun, and now has to be fixed the same way in Flash / Actionscript.

And the vendor doesn’t wanna fix it.

Gee, thanks Adobe. Didn’t plan for this, did you? Guess your offshore “developers” don’t have the depth to deal with this?

“Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.”
[From Slashdot News Story | Flash Vulnerability Found, Adobe Says No Fix Forthcoming]

And if you’re Adobe what do you do? You can’t fix what your offshore engineers can’t even understand…

Nope, you make some thin excuse that ‘many sites will become broken’ and you pass cough outsource cough crowdsource it off so that Webmasters need to fix their sites?

Even if they don’t use Flash? How very Microsoft of them. Sorry, but this makes my brain hurt. If your Actionscript based plugin aped Javascript properly, this would not be an issue.

And Adobe wants the US Gov’t to adopt “ubiquitous” Flash?? Hah!

If you’re on any type of device, find a Flashblocker NOW. It’s not like you can rely on Adobe to put thought into this.

Here’s an obvious hint to the slumdogs: Don’t allow, or DO ask for permission, any data stream that looks malformed. So: no *.gifs, *.html et cetera with Actionscript or Flash objects. With the policy controlled by the plugin that is RECEIVING THE DATA. Sun did this for Java, MSFT does it for .Net, & since your plugin is the “ubiquitous” runtime here you will have to do the same.

To not do so will inconvenience your REAL customers, the designers who will take one look at this and say, ‘T’hell with this, I’m on to HTML5, Javascript/AJAX, and H.264.’

And Dear Uncle Steve: You were right to leave “ubiquitous” Flash off the iPhone. Thank you again & again & again. Best decision you ever made. “Ubiquitous” is the new suck.

I was going to blog about the Microsoft Windows 7 0-day stupidity with SMB, but they haven’t said that they’re not going to fix it. Just remember to turn off SMB ports until the ol’ fat other Steve gets around to yelling at his slumdogs.

Here’s a clue for itinerant offshore Adobe “programmers”. Note the quotes. Start with this book:

“JavaScript: The Definitive Guide”

No comments: