Re: pacsec hype security advisory: seven words ofwarning about Flash player nine.

["Dave \"No, not that one\" Korn" <davek_throwaway () hotmail com>]

Dragos Ruiu wrote:

> "The new Flash player adds network functions!"

  Hey, I can do it in three words!

  Flash.  Must.  Die.

> and thus there are many ways to bypass the only-connect-back-upstream
> and port < 1024 limitations on the SWF applet Socket() class. A

  Limiting ports to less than 1024 hasn't been any kind of security measure 
since.. I dunno, forever really.  Since there were more than two machines 
connected to the internet.  How can anyone in the 21st century think that 
this is meaningful?

> The potential for network misuse possible in Flash just went up
> several orders of magnitude, and as the Adobe site triumphantly
> proclaims it's apparently in use at 97.3% of networked computers.
> I'll avoid some of the more exotic scenarios, lest they give
> anyone some bad ideas -

  Distributed port scanning from a malicious webserver that gives every 
client a slightly modified .swf with a different range of ip addresses to 
scan?

  Seriously, thanks for the warning.  Once more, feeping creatureitis wins 
out over sanity and security.  Oh well.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/