Buffer Overflow In All Shockwave Players

drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF file"."

Re:Dunno 'bout ya'll... buuuut

[jandrese (485)]

AARGH this site is driving me nuts! Why did it feel the need to open a new window on the site? What's with all of this Javascript formatting? Why won't it just bring me to the stupid flash site so I can download the swf and play it, since the integration with the browser is broken on my machine? In the end, despite reading though the source on almost every page to get to the next page, I never did see any of these digital art exitbits.

Then clearly . . .

[hawk (1151)]

. . . lwn.net was running shockwave on a server and got fouled up from a time-travel game . . .

hawk

News alert: uninitialized variable in main.c!!!!!!

[heroine (1220)]

Sure a buffer overflow in Flash is big news. It's bigger than the uninitialized variable of 1999. But I think the news item of the millenium is going to be the null pointer dereference in Netscape. Look out CNN. We've got a null pointer story.

Re:Is it possible...

[sql*kitten (1359)]

Yet another argument for open source software...

You mean like sendmail and BIND? Try searching the CERT advisories and you'll see what I mean.

I dunno if I should be worried...

[Yakko (4996)]

well, since for the majority of flash-enabled sites I visit in Netscape for Linux (or SunOS, or HP-UX, or anything not win*), the flash fails to execute...

I may just be delighted to see "Movie not loaded..." when I right-click on a blank space in a webpage after all!

--

Plugins are stupid anyway

[tommy (12973)]

I never met a plugin I didn't hate.

Re:Saying Flash is bad is an understatement.

[Pope Slackman (13727)]

Not to mention I have yet to see a Flash page with a static image - they're always animating with a rotating logo or some other action. Boom there goes all your bandwidth for that remote X connection.

As I said before, Flash designers care about your
remote X sessions about as much as you care about their silly animations. I'd estimate people browsing across remote
X connections make up less than 1% of page views. It's an insignificant amount.
Remember, most 'normal' people aren't impressed by text-only pages written in HTML2, even though it's an effective way of disseminating info.


Then you factor in the fact Flash renders the animations in realtime, add in that constant animation with transitions/fades and there goes all your CPU power.

This is both a blessing and a curse. By rendering on the client side, you don't need to transfer a zillion frames of a raster animation. BUT, it does suck up processor cycles.
That said, I find I have MANY more processor cycles than kb/s of bandwidth, even on my slowest boxen.


There doesn't appear to be any concept of idle time - it's development is similar to Director which I've worked on for 3 years, and in order to pull off a "Press here to continue" with an animation, you have to loop it. Ick.

(Forgive me if I'm thinking of something else.)
Ummm...Of course you have to loop it.
You can't make a repeating function (like an animation clip) without looping. Some programs
can hide it, but in the end, the processor is still executing a loop.


But then again what do you expect from a product from a company originally developing on the Mac?

Ahhh, the joys of teenage Linux bigotry. :P

I'm not saying Flash is perfect. It's far from it,
but it's not technology from the smoking pits of hell, either.

--K

Re:No one cares

[Pope Slackman (13727)]

The average web'master' can't even write HTML nowadays, or that's what you'd think looking at websites owned by large corps.

Absolutely true. I've had cow-orkers ask me (in an almost disbelieving tone) why I
was writing HTML by hand when "Frontpage is already installed"...
I've also heard people talk about "learning HTML" when what they mean is "learning Frontpage".

I kinda like Flash tho, it's nice for making slick, compact, artsy-fartsy things that won't get broken
by crappy HTML renderers. It either works, or it doesn't, and chances are it will work,
because 95% of the viewing population is Win/Mac.
And for the other 5%, it's not hard to include a less 'cool', but equally informative text version.

It all depends on who's doing the work and weather they give a shit.

--K

Plain wrong

[redhog (15207)]

According to page 3-13 of "Pentium Pro Family Developer's Manual" "Volume 3: Operating System Writer's Guide", table 3-1: Code and Data segment types, there are four types of data segments - read-only, read/write, read-only-exapnd-down and read-write-expand-down, and four types of code segments - execute-only, execute-read, execute-only-conforming and execute-read-conforming. The problem is that under any UNIXy x86 systems, you don't use segmentation, but creates one big executable segment and one big data segment, spanning all of the linear adress space, and use page control as access control. This is because a) old big UNIX machines didn't have segmentation and b) some hackers consider segmentation an uggly cludge...

Re:Plain wrong

[redhog (15207)]

Because you have two segments overlapping in memory completely.
As I said, under any x86 UNIXy system (like Linux), you have a data segment and an exec-segment that have the same linear adresses, spanning all of the linear adress space. This means that you more or less entirely bypass the segmentation system. This method of bypassing the system is even described in the Intel manual, with reference to porting mainframe OSes! In this model, CS is allways equal to the segment descriptor with the exec flag set, and SS/DS/ES/FS/GS the one with the write/read flags set. All access control (read only or read write) is then done in the page system, where there is no notion of execution.
If you don't beleave me, check out the Pentium manual [intel.com], page 108, figure 4-1 (Not the same as the hardcopy I refered to before, this is for the Pentium, not Pentium Pro, but this particular thing haven't changed a bit).

Re:Flash is a piece of shit

[alienmole (15522)]

I said, "at one point, it didn't even have an uninstaller", and that's accurate. I followed the instructions for uninstalling it at the time, and it was a PITA. As far as I'm concerned, if something is going to a great deal of trouble to make sure it installs real easy, it should be equally easy to uninstall - which means, when you go to Add/Remove Programs in the Windows Control Panel, Flash should appear there and be uninstallable at the click of a button.

Perhaps it does that now, I don't care. It's (a) a security risk, (b) an unnecessary piece of shit (as previously stated.)

As you can tell, Macromedia annoyed me with this. But this also goes to a bigger, more serious issue - that of one-click downloads and updates of software on user's computers. Most users aren't able to make an informed choice about the software they're "choosing" to download. They just want to see the latest shiny thing on the website they're looking at, or get the latest update to anything from Winamp to their IM client. While this is a marketer's dream, it's a security nightmare. As the macro virus holes in software like Office are slowly closed, downloadable Web widgets are likely to become the next major virus delivery channel. And you can't trust "name-brand" companies like Macromedia, as this buffer overflow bug proves.

So don't give me "People, you're not even trying." I'm not trying, I'm succeeding, in following and promulgating successful security policies.

Flash is a piece of shit

[alienmole (15522)]

If a company wants to put out a multimedia viewer, they shouldn't try to force it on people. After it's been downloaded the first time, the damn thing virtually (or actually?) downloads updates itself. At one point, it didn't even have an uninstall option - and may still not for all I know, I no longer allow it on my system or my clients' systems. I've told my clients it's a security risk. Boy do I look like a guru now...

Dunno 'bout ya'll... buuuut

[GreyFauk (18632)]

I installed it once under Linux... then realized
It was lame and useless... *shrug*

Yeah.. I'm on DSL and it only takes 10 seconds
for an Obnoxiously large web-site to load.. but I sure miss
Those REALLY nicely formatted sites that loaded
in ONE second using Lynx and a 28.8 connect.

Shockwave is like those metallic ribbons you
find hanging from the ends of the handle bars
on a girls bike. They may look pretty and be
entertaining to a simpleton with the IQ of jello
but they really don't serve any useful purpose.

Re:it's the content that matters, and ONLY content

[Black Parrot (19622)]

> The web is no longer JUST a vehicle for transmitting information. It is also a tool for entertaining and marketing.

If you want to market to me, the same still applies: "Just the facts, ma'am." If I have to wait 10 seconds for some fancy graphics/animation/whatever to download, I'm more likely to click "back" than to patiently wait to be spoonfed a commercial that substitutes flash for content.

It is not uncommon for me to go to sites specifically looking for product information and leave without that information because I don't feel like waiting for the dog'n'pony show to finish. Those vendors lose my business.

Same think with other kinds of site. ABC news used to have a decent site, but they "upgraded" it to make it more commercial friendly at the expense of making it hard to skim the headlines. I haven't been back since the "upgrade", so now I don't see any of their commercials.

--

Re:it's the content that matters, and ONLY content

[toofast (20646)]

I bed to differ. We "geeks" understand and know when to recognize a link when we see one. After taking an Internet Marketing class, statistically, more people will Click Here [slashdot.org] if you tell them to do so -- just like TV ads that say Buy Now or Hurry, while quantities last! It works with the general public. They're telling the masses what to do, and although the Click Here [slashdot.org] doesn't work for you or I, think about the millions of AOL customers who don't have a clue... They need to be specifically told to Click Here [slashdot.org]. And they will.

Trust me -- in online marketing terms, Click Here [slashdot.org] works, and that's the sad part.

Click here to learn how to make money on the web.

[toofast (20646)]

See how well the Click Here works? You clicked. If I had a banner ad, I would have made $0.02. I've proved my point. It's all marketing. Blame the marketers for the Click Here craze. Now go read my previous post for more information.

Stupid question...

[ConceptJunkie (24823)]

We hear on an almost daily basis that there are security holes... mostly in Microsoft and Netscape software. The latest idiocy is that Windows Media Player can be used to execute arbitrary programs. Many of these holes involve buffer overruns that allow execution of "arbitrary code".

Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?

There's a lot of heat and noise about the sieve-like quality of software security of Internet software, but is it _really_ that much of a risk?
(Which isn't to say it shouldn't be addressed with all haste)

Rick

Due to a Y2K bug, all Y2K bugs occurred on 1 January 2001.

MY GOD

[delmoi (26744)]

That is some sweet flash....

Re:Need Linux Multimedia DHTML/Flash Clone

[TheInternet (35082)]

Now, how to get an Open Source "DHTML" multimedia project, that will cicc arses, rolling?

DHTML is a generic term to describe a lot of different things, like "object-oriented" or "open source." DHTML is not a specific technology. It is a collection of several standards: CSS, JavaScript and CSSP. And furthermore, you already have an "open source DHTML" project. It's called Mozilla.

If you're saying you need a open source Flash clone, take a look at SVG: XML-based vector graphics. It's supported by W3C and Adobe (amongst, others).

- Scott
------
Scott Stevenson

Mod Up + Karma whoring: Gabocorp

[brianvan (42539)]

Please mod the parent post up. If anything from Macromedia tanks my computer, I'd most rather have that site do it for me. I took a web design class at my university's art dept. two years ago... not your typical "learn HTML and Javascript" course, rather entirely focused on WYSIWYG editors and visual communications... and they used Gabocorp as an example of what can really make you weep at your own pathetic visual design skills. Apparently the whole company is some kid from Puerto Rico who makes Flash presentations like B.B. King makes blues music. The correct URL, for the lazy, is gabocorp.com [gabocorp.com]. The old "dubuhya dubuhya dubuhya dot" at the front leads to a non-existent server. (Then again, what's the problem with adding an extra DNS entry? Only us geeks would moan about that, though).

Re:buffer overflows--again?

[thogard (43403)]

while grepping through the linux source it appears that it sets the prot_exec bit only if the vm_exec bit is set. I'll have to check what the intel chip acutal does (I never liked the things, too much of a hack design) but from the source it looks like if any data or stack segments were not marked vm_exec then they wouldn't allow code to run at all.

For thouse that don't understand what I'm talking about....
Stack overflows take some simple data like this:
char name[25];
something_broken_like_gets(name);

Now when you feed in a string like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA", it goes on the stack and if the stack is built the wrong way, it over writes the return area on the stack. So if you play your cards right an replace the 'A' with a properly calculated stack frame you can have the return from teh function return to your code which you just happened to supply. The CPU pops the stack pointer and runs user supplied code and that is how most exploits happen. There are tools tha t will help generate the proper strings that have been mentioned in places like bugtraq.

Re:no exploit

[QuantumG (50515)]

indeed, and this is exactly the point that security experts who are in touch with reality try to bring to the public interest. Consider the analogy of a door (on a house or a car). Now if I believe that no one can open the door without my key I am not going to stem that belief just because you tell me that my door is "not secure". It is not until you demonstrate that the door is openable without the key that I am willing to change by belief in the security of my door. However, it is not only the security expert who can demonstrate the insecurity of your door. Indeed, the house/car robber can do the same. Is it not in our interest to aid the security expert to be the first to find the insecurity in our doors?

Re:buffer overflows--again?

[QuantumG (50515)]

The kernel is coded to be portable. On some archetectures you can indeed say this, but not on x86.

Re:no No NO! Pitiful excuses!

[QuantumG (50515)]

and once again. I tell you that the programmer has no idea what can cause a security fault so he has no idea how to fix it! It's not his job. We don't expect him to know anything about the lowdown on computer security. Hell, computer security is an emerging field. To be an expert in it you have to read and read a lot. I personally would prefer my programmers spending their time fixing (and indeed preventing) the bugs that users are going to report. Not the ones that some security egghead is going to find three years after we've shipped the product.

Re:Without pointers you are not Turing complete

[QuantumG (50515)]

technically integer pointers into arrays are called "indexes" or at least in every book I've read. By pointers I specifically mean a variable that contains the address of a memory location. Although even that definition isn't great because that included "array variables".. oh well.

Re:buffer overflows--again?

[QuantumG (50515)]

actually it's even worse than that. On an x86, you have two mechanisms of protection. You have segmented protection and you have page level protection. On page level protection you may specify whether a page is readable, writable or both. If a page is readable then it is executable. The other form of protection is descritor level protection. That is, the descriptor used in the segment registers (mapped via the LDT and GDT) can be set to, once again, readable or writable or both. Readable implies executable. Now this is so engrained in x86 that you will often see people refering to the readable bit as "read-exec". Linux uses descriptors via the LDT of each process to give seperate address spaces to every program. However, the stack is not a seperate address space to the code and data segments. That is, you don't have a different descriptor in SS than you do in DS. If you did have such a mechanism, you would have a lot of problems deciding when you need to use the SS register and when you need to use the DS register to access pointers.

Wrong group

[QuantumG (50515)]

err.. shouldn't this be under "bugs" and this story [slashdot.org], shouldn't it be under well, anything other than bugs? What's going on?

Re:Is it possible...

[QuantumG (50515)]

Actually you can get the source [macromedia.com] to the Macromedia Flash (ie Shockwave) player at no cost.

Re:"How long, O Lord?"

[QuantumG (50515)]

umm.. no.. see security analysis is a completely different disciplin to software development. So what you're asking the programmers to do is something very very hard (for them). You might as well ask them to determine if there is a product for the software or whip up an ad campaign for it. After all, who knows the product better than the software developers right? Now.. a reasonably informed opinion would be that companies should get security testers to test their product before they ship (or better yet, during the development cycle). But that would involve hiring people and paying them money to fix problems that people might not even find. Remember, most security bugs are not found. The product lives out its short life and disappears from the world when the next version or the next great paradigm shift happens. So you're asking companies to spend money on things that don't really loose them any money in the long run. So no, there is no technical reason why software can't be secure. It's an economic/political thing.

Re:hmmmm...

[QuantumG (50515)]

how about posting how to do this under win2k.

Re:hmmmm...

[QuantumG (50515)]

some how I doubt the first exploit to be written for this bug will be targeting linux.

Hmm. Maybe there is neat uses for this

[by Anonymous Coward]

Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?

Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.

Re:buffer overflows--again?

[QuantumG (50515)]

err.. you're really lost in thinking that this code is being executed in the data segment but anyways, on x86 there is only READ_EXEC_ONLY, READ_WRITE_EXEC, READ_ONLY or NO_PERMISSIONS. You can't say READ_WRITE_ONLY which is the problem. If you want a data section that is read only then you can have that, but if you want a read/write data section that is not executable, sorry, that's not offered.

ahah!

[fluxrad (125130)]

so that's what the boys at gabocorp [gaborcorp.com] have been doing all along!

those nefarious bastards!


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

CSS crashes Netscape or is illegal in USA

[yerricde (125198)]

No, it is completely NOT necessary with css.

Unless you're selling DVDs, you don't have to worry about CSS issues.

Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter [pigdog.org] to remove the formatting for those who are behind Nutscrape.

Tetris on drugs, NES music, and GNOME vs. KDE Bingo [pineight.com].

Bummer..... Not many will care...

[sdriver (126467)]

Many people havn't updated NS from the "Every web browser is a server with JAVA" security hole. So I doubt anyone will care.... :(

Easier way of updating browsers?

[Mold (136317)]

The majority of users won't care if there browser has security issues. They have their browser, they may have had it set up for them, or they may just not want to download a newer browser; this, and most other browser security holes will be left open.

The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.

Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?

Re:hmm

[squiggleslash (241428)]

Usually buffer overflow exploits make use of the fact that the majority of them occur in dynamically "auto" allocated memory, memory allocated on the stack for a function's local variables. For instance:

int getnextnumber(FILE *fp)
{
char line[100];

fgets(line, 200, fp);
return atoi(line);
}
(I may have got the parameters in the wrong order above, don't flame me, it's the principle that I'm trying to describe)

In the above, the programmer has allocated a 100 byte array for input of a number, but has called fgets to read a line of up to 200 characters. So a 101 byte line will overflow the buffer.

With most C compilers on most platforms allocate memory, the same stack is used to store the return address to jump to when the function has completed executing as the data itself. Therefore, a buffer overflow exploit needs to put code in the buffer, work out where that code will be when the function is executed, and overwrite the return address with the address of that code.

It's not easy but a number of factors can help a hacker in this situation, usually that once compiled for a particular platform, on 32 bit platforms at least, the function will normally always appear in the same place in memory, and when the program is running, if you're careful about the conditions underwhich you feed it bad data, you can make a reasonable assessment as to where the stack will be when its called.

The majority of UNIX hacks I've seen on the BugTrac lists are buffer overflow exploits, and from what I recall, they're the major ones the OpenBSD [openbsd.org] team are constantly on the look out for. So it's a real problem, and assuming the Shockwave overflow is predictable as described above (or requires little overflow anywhere else to overwrite code or a return address), it's credible someone might use it.

So don't run Netscape as root. Unless you're a Windows 9X/Me user of course, where you don't have much choice...
--

No one cares

[Pope Slackman (13727)]

The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).

Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now! ;),
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash. :P)

IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.

-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.

Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.

The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.

--K

Glad I Haven't Installed Shockwave

[Alex Pennace (27488)]

I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.

Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.

Re:unable to close the hole .....Eurika!

[Kalgart (127560)]

Well after a little searching I found where M$ hides shockwave for IE5.

c:\windows\system\macromedia

it's now been sent to /dev/null .....

This is fairly old

[jesseraf (230545)]

Here's the bugtraq id on securityfocus:
http://www.securityfocus.com/bid/2162
Cheers

"How long, O Lord?"

[Black Parrot (19622)]

There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.

When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.

I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.

[Writer crosses fingers hoping not to be the next person to publish one!]

--

it's the content that matters, and ONLY content

[poopie (35416)]

Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.

Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.

Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.

My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on /. that said "If I wanted your site to make music, I'd have turned on the radio"
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page

there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.

no exploit

[QuantumG (50515)]

this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.

Re:it's the content that matters, and ONLY content

[FTL (112112)]

>My personal list of website peeves:

Good list.

My list of peves is very similar, but also includes click here [slashdot.org] links. When one glances at a webpage the links stand out. So one can usually just scan down and find the link one wants. But this doesn't work when the text that stands out is click here [slashdot.org], click here [slashdot.org] and click here [slashdot.org].

click here [slashdot.org] for Slashdot,
vs
Visit Slashdot [slashdot.org].

Flash baad

[tinic (121416)]

The flash player is one poor piece of engineering:

-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).

-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).

-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.

-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...

hmmmm...

[mirko (198274)]

It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here [slashdot.org] why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--

Um...

[OblongPlatypus (233746)]

Not saying this should make you discredit the entire report, but I found this quote sort of funny:

By dumb luck, met a guy at a party who knew a guy who was the sister of a "senior manager" at Macromedia. Decided to hold off posting.

(From the "reporting history")

This has been out for a while....

[Calle Ballz (238584)]

But I guess they feel that it is now a bigger threat. Maybe joecartoon [joecartoon.com] and killfrog [killfrog.com] have been rooting our boxes unsuspectingly for the last year, and they are not catching on.

Oh well, my favorite resource [securityfocus.com] has some more information here [securityfocus.com]