Username or EmailPassword
You people had to learn the hard way...
Next time, avoid such proprietary garbage. Edited 2008-04-16 17:12 UTC
How are such exploits unique to proprietary software?
>How are such exploits unique to proprietary software?
Well they're not really, but (I can't really believe I'm going to quote Eric S. Raymond) -
"given enough eyeballs, all bugs are shallow"
The exploits they were talking about seem to have a lot to do with the Flash AVM, which just happens to be open source.
Read Touvan's comment above, then read the article again. You will see that this exploit required detailed knowledge of the internal workings of the VM. If the VM had been closed source developing this exploit would have been more difficult. Edited 2008-04-16 21:07 UTC
That exploit is just amazing. At the same time, it is scary to think that a hole similar to step 1 is probably present in many other pieces of software.
On the surface, easy exploits have disappeared from most software or have been disabled by the OS.
Actually, though, hackers are still a step ahead and already planning for their next move.
As long as hackers stay away from open source players, I am safe, I guess.
I don't think the exploit as basic as you seem to imply.
It does derive from the same programmer stupidity or ignorance as printf(char*) and buffer overflows in string operations, but while those are critical, very known, and rare in production code today, this error is still common.
This is because of wrong assumptions. You will be hard pressed to find a program where a function like fopen isn't checked for error return values, but malloc is likely to be left unchecked, especially if the code was initially written as a quick hack to get something working.
However, even if the malicious code is able to make an "infallible" function fail, there are many chances that this results at most in simply segfaulting the program. So this adds to the perceived safety of not checking a given function and makes this kind of exploit even more dangerous.
Ironically, Amiga, BeOS, Syllable, SkyOS, MacOS classic and other 'non mainstream' Operating Systems which never received love from Adobe are safe when browsing a website hosting the vulnerability. Or web browsers which do not have the flash pluggin enabled
Debian is also "flash-safe" if you install software only from the distribution's main repository.
The reason is that Debian banned the flashplugin-nonfree from Etch (with the R3 release) and from Sarge (with the R8 release):
"Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player."
(This flash plugin is still available via backports.org, so that Debian users can still install it if they want to.)
Security problems are a good reason to consider using open source versions of software like Flash. I would like to recommend swfdec, the open source Flash engine, but it it crashes Firefox a lot and doesn't handle youtube Flash videos. Helping out in swfdec development and testing would make this more of a reality. This would benefit the Linux distros since we wouldn't have to wait from a binary from Adobe.
http://swfdec.freedesktop.org/wiki/ Edited 2008-04-16 19:57 UTC
"I would like to recommend swfdec, the open source Flash engine, but it it crashes Firefox a lot and doesn't handle youtube Flash videos. Helping out in swfdec development and testing would make this more of a reality."
What version of swfdec are you using? swfdec-0.6.4 plays youtube videos fine, provided you have the appropriate gstreamer plugins installed.
You do realize that behind every one of those crashes is probably a bug that's even more exploitable than this one.
Yes, but the swfdec project fixes bugs as soon as possible:
Our first security fix release: Swfdec 0.6.4. Please update."
"Fixes in this release:
- fix a security problem that allowed remote Flash files to read local files.
- fix a rare crash in TextField.replaceText
- fix a rare crash during cleanup."
This was fixed in the latest version of Flash Player - released 8 April 2008 so this is olds not news...