Full Disclosure mailing list archives
Re: adobe.com important subdomain SQL injection again!
From: Victor Rigo <victor_rigo () yahoo com>
Date: Sun, 19 Dec 2010 16:56:12 -0800 (PST)
Concurred. No file format is as obnoxious as SWF. However, with the debut of HTML 5, we're finding that video is being offloaded to <video> and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Try disabling flash extension on Firefox and enjoy real internet. Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 --- On Sun, 12/19/10, Christian Sciberras <uuf6429 () gmail com> wrote: From: Christian Sciberras <uuf6429 () gmail com> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: "Marsh Ray" <marsh () extendedsubset com> Cc: "Victor Rigo" <victor_rigo () yahoo com>, full-disclosure () lists grok org uk Date: Sunday, December 19, 2010, 9:25 PM "Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things." - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray <marsh () extendedsubset com> wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote:
Let's see, flash is:
- Cross-platform
- Cross-architecture
- Has it's own programming language
- Is embedded on websites
- Access to javascript to popup, local caches, etc.
Not on my machine?
It's not ineptness, it's what you get when you right software that can
actually do stuff.
Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after "hey our software could do this" must be "but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs?" and so on. These questions take a long time to answer. So if a vendor is known for "letting app developers do more stuff" and not also known for "letting users control what stuff gets done on their own machines" then they are laggards, not leaders, in my view.
If Java applets were still the hip thing, you'd see the same thing about
that.
There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying "Adobe will secure Flash in the next patch and then it will be great." But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an "appeal to futility" argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. "doing stuff" trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- adobe.com important subdomain SQL injection again! Maciej Gojny (Dec 18)
- Re: adobe.com important subdomain SQL injection again! Jeffrey Walton (Dec 18)
- Re: adobe.com important subdomain SQL injection again! Victor Rigo (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Javier Bassi (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Jeffrey Walton (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Pavel Kankovsky (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Jeffrey Walton (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Marsh Ray (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Christian Sciberras (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Victor Rigo (Dec 19)
- Re: adobe.com important subdomain SQL injection again! John Jester (Dec 20)
- Re: adobe.com important subdomain SQL injection again! Jeffrey Walton (Dec 23)
- Re: adobe.com important subdomain SQL injection again! Victor Rigo (Dec 19)
- Re: adobe.com important subdomain SQL injection again! Jeffrey Walton (Dec 18)
- Re: adobe.com important subdomain SQL injection again! Serkan Özkan (Dec 20)
- Re: adobe.com important subdomain SQL injection again! John Jester (Dec 20)
- Re: adobe.com important subdomain SQL injection again! Marsh Ray (Dec 20)
- Re: adobe.com important subdomain SQL injection again! Pavel Kankovsky (Dec 23)
- Re: adobe.com important subdomain SQL injection again! Chris Evans (Dec 21)