Linked by David Adams on Wed 16th Apr 2008 15:58 UTC, submitted by supergear
IBM researcher Mark Dowd has outlined a Flash vulnerability that could allow for a rare cross-platform web-based exploit. Matasano Chargen uses a Super Mario metaphor, an example we can all relate to, to illuminate it.
Thread beginning with comment 309919
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-09-01
The exploits they were talking about seem to have a lot to do with the Flash AVM, which just happens to be open source.
http://www.mozilla.org/projects/tamarin/
Member since:2005-07-06
Read Touvan's comment above, then read the article again. You will see that this exploit required detailed knowledge of the internal workings of the VM. If the VM had been closed source developing this exploit would have been more difficult.
Edited 2008-04-16 21:07 UTC
Member since:2006-01-26
Read Touvan's comment above, then read the article again. You will see that this exploit required detailed knowledge of the internal workings of the VM. If the VM had been closed source developing this exploit would have been more difficult.
Ah excellent! Then I guess that makes it seemingly less "Inhuman".
So, certainly this does show that eyeballs *do* review open-source code in the interest of security auditing.
Now, if only the rest of Flash was OSS as well, it could possibly be patched and an update released without waiting for Adobe to fix it themselves.
I have to assume part of Adobe's decision to open the ActionScript engine was to encourage others to fix the problems and submit patches back so that all can benefit.
Note: I'm not necessarily an open-source zealot - but I can certainly see the benefits.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-01-26
I would say the lesson learned here for anyone who still believes that proprietary software is safer due to the closed-code is: It doesn't matter - someone with the know-how and determination will still figure out how the software works and find exploits.
Thus, open source has the advantage that *more* people can evaluate the source and find such flaws prior to compilation rather than via low level debugger and disassembly.
Also, if someone wanted to fix this in a mission critical environment before an official patch is available, they would be able to. Something that is not so easy with proprietary closed-source software.
edit: fixed wrong word in my sentence
Edited 2008-04-16 18:12 UTC