Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Buffer Overflow In All Shockwave Players 201

drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF file"."
This discussion has been archived. No new comments can be posted.

Buffer Overflow in All Shockwave Players

Comments Filter:
  • by Anonymous Coward
    neither have i [slackersguild.com]
  • by Anonymous Coward
    I hope these "enhancements" die under their own weight of complexity.

    1. They do not give me extra information. Moving crap and noise on my screen doesn't relay anythng meaningful to mean. A picture is worth a thousand words, but plain HTML does that fine.

    2. As this article points out, they add greater security concerns, due to added complexity.

    3. Sites that use them load slowly. What happened to plain, pure, elegant HTML?

    As a rule I avoid sites that use these like the plague. For the web people out there - build your site on lots of GOOD information, a few meaningful pictures, and make it EASY TO NAVIGATE, complete with a search.

  • Actually, you can skip the first step in Scenario 2:

    [Scenario 2]
    The geek fires up Netscape, and watches as Netscape dumps core.

    You won't need Flash to crash Netscape...

  • And to add insult to injury, there's no way to disable flash palyer in most browsers. If you have netscape, you can go to plugins directory and remove flash plugin from there, but for MSIE you would probably not even know where it is located, and it probably would insist on re-installing the plugin every time you come to page with flash. That's a really annoying situation.
  • Welcoming someone to your website is gracious, there is nothing wrong with that.

    ~shine
  • Big pet peeve of mine: assuming YOU know how I want to see your site. You don't know my screen, my eyesite, anything. HTML was meant to be structural, presentation is defined by the browser. Especially when I do browsing with lynx, because I want information.

    For all the Flash / Image users out there who don't have text on their pages, remember this: all the search engines only index text. If you insist on Flash, you just dropped all the potential customers who used a search engine.
  • This is known for a very long time, all Flash developers, I mean the guys who hack the swf format, knew this. It's pretty easy to make your Windoze machine crash even get a BSOD on NT.
    Buffer overflows have not been exploited for the moment, needless to say what OS will be the big victim, the Linux users may worry though.
    Developing Open source player is again the answer, check out this project [swift-tools.com] and contribute! Even for Windows.

    Anyway, Flash rocks.
  • The introduction screen, which is incredibly painful to read (scrolls real slow) contains the text:

    "Please read the User Guide to learn how to navigate through the site"

    No thanks. You have got to be kidding me. This definately does not "rock".
  • Well, I'll have to disagree with you. Of course it is possible to create "dozens of websites" without needing a spacer gif. That's not the point. There are certain graphical layouts that require spacer gifs. Particularly large multi-image graphics where the images must align to the pixel. They are also required when using tables for layout (I know, I know...) and the cells must be fixed to a specific size.

    To some people, the look you can achieve is more important than avoiding layout tables and spacer gifs.

    There are alternatives, of course, like absolute positioning, netscape's <spacer> tag, etc. But often these solutions are just as hokey and yet less supported by browsers.

    -bp

  • More importantly, the version of Tetris (Fake-ris) on this site blows. It destroys the symmetry of Tetris and it's ugly too. Like all poorly implemented Tetris clones, it fails to recognize the original beauty, or attempts to "improve" in some stupid way. Yes, I'm bitter about it.
  • At this point, I'm no longer worried about Netscape's problems for something as essential as CSS. The most common problem I have experienced with NS 4.x and CSS is that sometimes it will display the contents of external CSS files rather than using it to style the page -- that's with the type attribute being properly set.

    It works most of the time and that's good enough. If users don't like it when they see the problem, they can get a better browser. I'm sorry. Netscape 4.x is pathetic and Mozilla/NS 6 is still striving to be as good as IE 4. As a web designer, I feel like my hands are tied. Do I live in 1995, or do Netscape users just have to put up with the quirks associated with CSS? I'm tired of living in the past... they can deal with it.

    The fact is NS with CSS works most of the time and that is good enough. If someone disagrees then they can go download and use IE or shut up. If IE isn't available on your platform, then good luck with Mozilla or any of the alternative browsers available. NS just isn't the best anymore and apparently never will be. Maybe Netscape 6 will kick ass if Mozilla has *another* three years to work on it, but IE will probably be to 7 by that time(without skipping a version number!).

    Netscape is like a bad ex-girldfriend. Used to love her. Now hate her guts. Can't get a restraining order against her.

    ...winding down. Netscape gets my blood pressure up. One time, on a business trip, I found myself in a similar rant with some co-workers at a restaurant and then thought, "wait a minute... I'm in Mountain View". Actually Palo Alto, but close enough.
  • AARGH this site is driving me nuts! Why did it feel the need to open a new window on the site? What's with all of this Javascript formatting? Why won't it just bring me to the stupid flash site so I can download the swf and play it, since the integration with the browser is broken on my machine? In the end, despite reading though the source on almost every page to get to the next page, I never did see any of these digital art exitbits.

  • . . . lwn.net was running shockwave on a server and got fouled up from a time-travel game . . .

    hawk
  • Sure a buffer overflow in Flash is big news. It's bigger than the uninitialized variable of 1999. But I think the news item of the millenium is going to be the null pointer dereference in Netscape. Look out CNN. We've got a null pointer story.
  • Yet another argument for open source software...

    You mean like sendmail and BIND? Try searching the CERT advisories and you'll see what I mean.

  • well, since for the majority of flash-enabled sites I visit in Netscape for Linux (or SunOS, or HP-UX, or anything not win*), the flash fails to execute...

    I may just be delighted to see "Movie not loaded..." when I right-click on a blank space in a webpage after all!

    --

  • I never met a plugin I didn't hate.
  • Not to mention I have yet to see a Flash page with a static image - they're always animating with a rotating logo or some other action. Boom there goes all your bandwidth for that remote X connection.

    As I said before, Flash designers care about your
    remote X sessions about as much as you care about their silly animations. I'd estimate people browsing across remote
    X connections make up less than 1% of page views. It's an insignificant amount.
    Remember, most 'normal' people aren't impressed by text-only pages written in HTML2, even though it's an effective way of disseminating info.


    Then you factor in the fact Flash renders the animations in realtime, add in that constant animation with transitions/fades and there goes all your CPU power.

    This is both a blessing and a curse. By rendering on the client side, you don't need to transfer a zillion frames of a raster animation. BUT, it does suck up processor cycles.
    That said, I find I have MANY more processor cycles than kb/s of bandwidth, even on my slowest boxen.


    There doesn't appear to be any concept of idle time - it's development is similar to Director which I've worked on for 3 years, and in order to pull off a "Press here to continue" with an animation, you have to loop it. Ick.

    (Forgive me if I'm thinking of something else.)
    Ummm...Of course you have to loop it.
    You can't make a repeating function (like an animation clip) without looping. Some programs
    can hide it, but in the end, the processor is still executing a loop.


    But then again what do you expect from a product from a company originally developing on the Mac?

    Ahhh, the joys of teenage Linux bigotry. :P

    I'm not saying Flash is perfect. It's far from it,
    but it's not technology from the smoking pits of hell, either.

    --K
  • The average web'master' can't even write HTML nowadays, or that's what you'd think looking at websites owned by large corps.

    Absolutely true. I've had cow-orkers ask me (in an almost disbelieving tone) why I
    was writing HTML by hand when "Frontpage is already installed"...
    I've also heard people talk about "learning HTML" when what they mean is "learning Frontpage".

    I kinda like Flash tho, it's nice for making slick, compact, artsy-fartsy things that won't get broken
    by crappy HTML renderers. It either works, or it doesn't, and chances are it will work,
    because 95% of the viewing population is Win/Mac.
    And for the other 5%, it's not hard to include a less 'cool', but equally informative text version.

    It all depends on who's doing the work and weather they give a shit.

    --K
  • According to page 3-13 of "Pentium Pro Family Developer's Manual" "Volume 3: Operating System Writer's Guide", table 3-1: Code and Data segment types, there are four types of data segments - read-only, read/write, read-only-exapnd-down and read-write-expand-down, and four types of code segments - execute-only, execute-read, execute-only-conforming and execute-read-conforming. The problem is that under any UNIXy x86 systems, you don't use segmentation, but creates one big executable segment and one big data segment, spanning all of the linear adress space, and use page control as access control. This is because a) old big UNIX machines didn't have segmentation and b) some hackers consider segmentation an uggly cludge...
  • Because you have two segments overlapping in memory completely.
    As I said, under any x86 UNIXy system (like Linux), you have a data segment and an exec-segment that have the same linear adresses, spanning all of the linear adress space. This means that you more or less entirely bypass the segmentation system. This method of bypassing the system is even described in the Intel manual, with reference to porting mainframe OSes! In this model, CS is allways equal to the segment descriptor with the exec flag set, and SS/DS/ES/FS/GS the one with the write/read flags set. All access control (read only or read write) is then done in the page system, where there is no notion of execution.
    If you don't beleave me, check out the Pentium manual [intel.com], page 108, figure 4-1 (Not the same as the hardcopy I refered to before, this is for the Pentium, not Pentium Pro, but this particular thing haven't changed a bit).
  • I said, "at one point, it didn't even have an uninstaller", and that's accurate. I followed the instructions for uninstalling it at the time, and it was a PITA. As far as I'm concerned, if something is going to a great deal of trouble to make sure it installs real easy, it should be equally easy to uninstall - which means, when you go to Add/Remove Programs in the Windows Control Panel, Flash should appear there and be uninstallable at the click of a button.

    Perhaps it does that now, I don't care. It's (a) a security risk, (b) an unnecessary piece of shit (as previously stated.)

    As you can tell, Macromedia annoyed me with this. But this also goes to a bigger, more serious issue - that of one-click downloads and updates of software on user's computers. Most users aren't able to make an informed choice about the software they're "choosing" to download. They just want to see the latest shiny thing on the website they're looking at, or get the latest update to anything from Winamp to their IM client. While this is a marketer's dream, it's a security nightmare. As the macro virus holes in software like Office are slowly closed, downloadable Web widgets are likely to become the next major virus delivery channel. And you can't trust "name-brand" companies like Macromedia, as this buffer overflow bug proves.

    So don't give me "People, you're not even trying." I'm not trying, I'm succeeding, in following and promulgating successful security policies.

  • If a company wants to put out a multimedia viewer, they shouldn't try to force it on people. After it's been downloaded the first time, the damn thing virtually (or actually?) downloads updates itself. At one point, it didn't even have an uninstall option - and may still not for all I know, I no longer allow it on my system or my clients' systems. I've told my clients it's a security risk. Boy do I look like a guru now...
  • I installed it once under Linux... then realized
    It was lame and useless... *shrug*

    Yeah.. I'm on DSL and it only takes 10 seconds
    for an Obnoxiously large web-site to load.. but I sure miss
    Those REALLY nicely formatted sites that loaded
    in ONE second using Lynx and a 28.8 connect.

    Shockwave is like those metallic ribbons you
    find hanging from the ends of the handle bars
    on a girls bike. They may look pretty and be
    entertaining to a simpleton with the IQ of jello
    but they really don't serve any useful purpose.
  • > The web is no longer JUST a vehicle for transmitting information. It is also a tool for entertaining and marketing.

    If you want to market to me, the same still applies: "Just the facts, ma'am." If I have to wait 10 seconds for some fancy graphics/animation/whatever to download, I'm more likely to click "back" than to patiently wait to be spoonfed a commercial that substitutes flash for content.

    It is not uncommon for me to go to sites specifically looking for product information and leave without that information because I don't feel like waiting for the dog'n'pony show to finish. Those vendors lose my business.

    Same think with other kinds of site. ABC news used to have a decent site, but they "upgraded" it to make it more commercial friendly at the expense of making it hard to skim the headlines. I haven't been back since the "upgrade", so now I don't see any of their commercials.

    --
  • I bed to differ. We "geeks" understand and know when to recognize a link when we see one. After taking an Internet Marketing class, statistically, more people will Click Here [slashdot.org] if you tell them to do so -- just like TV ads that say Buy Now or Hurry, while quantities last! It works with the general public. They're telling the masses what to do, and although the Click Here [slashdot.org] doesn't work for you or I, think about the millions of AOL customers who don't have a clue... They need to be specifically told to Click Here [slashdot.org]. And they will.

    Trust me -- in online marketing terms, Click Here [slashdot.org] works, and that's the sad part.
  • See how well the Click Here works? You clicked. If I had a banner ad, I would have made $0.02. I've proved my point. It's all marketing. Blame the marketers for the Click Here craze. Now go read my previous post for more information.

  • We hear on an almost daily basis that there are security holes... mostly in Microsoft and Netscape software. The latest idiocy is that Windows Media Player can be used to execute arbitrary programs. Many of these holes involve buffer overruns that allow execution of "arbitrary code".

    Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?

    There's a lot of heat and noise about the sieve-like quality of software security of Internet software, but is it _really_ that much of a risk?
    (Which isn't to say it shouldn't be addressed with all haste)

    Rick

    Due to a Y2K bug, all Y2K bugs occurred on 1 January 2001.

  • That is some sweet flash....
  • Now, how to get an Open Source "DHTML" multimedia project, that will cicc arses, rolling?

    DHTML is a generic term to describe a lot of different things, like "object-oriented" or "open source." DHTML is not a specific technology. It is a collection of several standards: CSS, JavaScript and CSSP. And furthermore, you already have an "open source DHTML" project. It's called Mozilla.

    If you're saying you need a open source Flash clone, take a look at SVG: XML-based vector graphics. It's supported by W3C and Adobe (amongst, others).

    - Scott
    ------
    Scott Stevenson
  • Please mod the parent post up. If anything from Macromedia tanks my computer, I'd most rather have that site do it for me. I took a web design class at my university's art dept. two years ago... not your typical "learn HTML and Javascript" course, rather entirely focused on WYSIWYG editors and visual communications... and they used Gabocorp as an example of what can really make you weep at your own pathetic visual design skills. Apparently the whole company is some kid from Puerto Rico who makes Flash presentations like B.B. King makes blues music. The correct URL, for the lazy, is gabocorp.com [gabocorp.com]. The old "dubuhya dubuhya dubuhya dot" at the front leads to a non-existent server. (Then again, what's the problem with adding an extra DNS entry? Only us geeks would moan about that, though).
  • while grepping through the linux source it appears that it sets the prot_exec bit only if the vm_exec bit is set. I'll have to check what the intel chip acutal does (I never liked the things, too much of a hack design) but from the source it looks like if any data or stack segments were not marked vm_exec then they wouldn't allow code to run at all.

    For thouse that don't understand what I'm talking about....
    Stack overflows take some simple data like this:
    char name[25];
    something_broken_like_gets(name);

    Now when you feed in a string like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA", it goes on the stack and if the stack is built the wrong way, it over writes the return area on the stack. So if you play your cards right an replace the 'A' with a properly calculated stack frame you can have the return from teh function return to your code which you just happened to supply. The CPU pops the stack pointer and runs user supplied code and that is how most exploits happen. There are tools tha t will help generate the proper strings that have been mentioned in places like bugtraq.
  • indeed, and this is exactly the point that security experts who are in touch with reality try to bring to the public interest. Consider the analogy of a door (on a house or a car). Now if I believe that no one can open the door without my key I am not going to stem that belief just because you tell me that my door is "not secure". It is not until you demonstrate that the door is openable without the key that I am willing to change by belief in the security of my door. However, it is not only the security expert who can demonstrate the insecurity of your door. Indeed, the house/car robber can do the same. Is it not in our interest to aid the security expert to be the first to find the insecurity in our doors?
  • The kernel is coded to be portable. On some archetectures you can indeed say this, but not on x86.
  • and once again. I tell you that the programmer has no idea what can cause a security fault so he has no idea how to fix it! It's not his job. We don't expect him to know anything about the lowdown on computer security. Hell, computer security is an emerging field. To be an expert in it you have to read and read a lot. I personally would prefer my programmers spending their time fixing (and indeed preventing) the bugs that users are going to report. Not the ones that some security egghead is going to find three years after we've shipped the product.
  • technically integer pointers into arrays are called "indexes" or at least in every book I've read. By pointers I specifically mean a variable that contains the address of a memory location. Although even that definition isn't great because that included "array variables".. oh well.
  • actually it's even worse than that. On an x86, you have two mechanisms of protection. You have segmented protection and you have page level protection. On page level protection you may specify whether a page is readable, writable or both. If a page is readable then it is executable. The other form of protection is descritor level protection. That is, the descriptor used in the segment registers (mapped via the LDT and GDT) can be set to, once again, readable or writable or both. Readable implies executable. Now this is so engrained in x86 that you will often see people refering to the readable bit as "read-exec". Linux uses descriptors via the LDT of each process to give seperate address spaces to every program. However, the stack is not a seperate address space to the code and data segments. That is, you don't have a different descriptor in SS than you do in DS. If you did have such a mechanism, you would have a lot of problems deciding when you need to use the SS register and when you need to use the DS register to access pointers.
  • err.. shouldn't this be under "bugs" and this story [slashdot.org], shouldn't it be under well, anything other than bugs? What's going on?
  • Actually you can get the source [macromedia.com] to the Macromedia Flash (ie Shockwave) player at no cost.
  • umm.. no.. see security analysis is a completely different disciplin to software development. So what you're asking the programmers to do is something very very hard (for them). You might as well ask them to determine if there is a product for the software or whip up an ad campaign for it. After all, who knows the product better than the software developers right? Now.. a reasonably informed opinion would be that companies should get security testers to test their product before they ship (or better yet, during the development cycle). But that would involve hiring people and paying them money to fix problems that people might not even find. Remember, most security bugs are not found. The product lives out its short life and disappears from the world when the next version or the next great paradigm shift happens. So you're asking companies to spend money on things that don't really loose them any money in the long run. So no, there is no technical reason why software can't be secure. It's an economic/political thing.
  • how about posting how to do this under win2k.
  • some how I doubt the first exploit to be written for this bug will be targeting linux.
  • why do you need to be able to write to your own code section? Besides, we're not saying that the data segment descriptors would not have read/write access to the code segment (although write access might be protected by page tables, as it is now), we're saything that the code segment descriptor would have no access to the data section (and the stack, bss, etc).
  • You're totally wrong. If the only type of data segments you have are execute-only and execute-read then how exactly do we have read-write-execute segments? Obviously we have them, or we wouldn't be having this discussion. Actually the only thing that makes a descriptor an "executable descriptor" is that it is currently residing in CS. Oh, and if you can show me a way to resolve pointer references to the right descriptor (is it in DS or is it in SS) with any sort of efficency, or security for that mater, I'd love to see it. Think about it. You have a piece of code like:

    char *p;
    ...
    *(p++) = 'A';
    ...

    Now how do you know that p is pointing to the data segment or to the stack segment? You can't. Maybe you can define a new kind of pointer (called a "far" pointer in borland compilers) that contains the segment descriptor in the pointer. But unfortunately you'll have to get the segment descriptor out of the pointer and put it into a segment register before you can do it.

  • this was hardly a case of a strcpy into a stack buffer. Read the article. This was not the kind of buffer overflow that could be fixed with a library. Indeed, a language that did bounds checking on arrays (and completely didn't support pointers) could have avoided this problem, but I'm not sure that it would.
  • oh.. I see what you're saying here! If you had a descriptor in CS that only includes the code segment of the executable (and any libraries) then execution in the data segments would be impossible. There's a few issues here that you would have to iron out, like placements of the code segments so that they are serialized in memory and don't have any data between them, but yes, I suppose this could work. I'll have a look at it.
  • I tried it.. it's very hard to get it working. About the best thing you can do is reduce the limit on cs so that it doesn't extend as far as the stack. This doesn't "solve" buffer overflows, it just makes it hard to get code to execute.
  • Even the NSA can't release code without Bounds Overflow issues [securityfocus.com]. My question is why? Please pick one... or tell me what I missed:
    • Progams are written in C, which doesn't like to do bounds checking
    • Programmers turn off bounds checking, because it slows things down too much
    • It's too difficult to do bounds checking code that works cross-platform
    • Bounds checking isn't a language feature, it belongs in the OS
    • Because OS designs tend to be flat, non-object-oriented, this will be a problem forever
    • Mike... you just don't have a clue... the real reason involves Natalie Portman, Nudity, and Hot Grits
    Well... what's up? Why have I never had this problem with my stuff? I do my programming in Delphi under Windows.

    --Mike--

  • You haven't started one comment on this whole page with a capital letter. Most people begin sentences with capital letters, even you do for the rest of your sentences. Please explain yourself.
  • Perhaps you should write your website in HTML like all proper websites instead of depending on a tool designed for Mac-using arty farty twats who can't code properly.
  • But I don't think the original poster was giving tips on how to make a marketable website. He was giving tips on how to make a quality site with good, clear, easy to find content. Unfortunately there's a huge difference. :-(
  • After reading the linked Bugtraq post, exactly which plugin Neal Krawetz means is still unclear - at least to me. There are two types of "Shockwave": the type created in Director (.dcr files) and the type created in Flash (.swf files.) There are also two types of plugins: the Flash-only shockwave plugin (Macromedia calls this the "Macromedia Flash Player" on their website) and the plugin that can play both Director dcr and Flash swf files. (Macromedia calls this one the "Macromedia Shockwave Player" on their site.) This latter plugin isn't available for every platform (Linux is one of the platforms for which it is still not available.)

    So, from the fact that Neal mentions running it on Linux, I'm pretty sure he means the regular Flash player is vulnerable... but how about the other Shockwave plugin - the one that plays both Flash and Director files? Since he only refers to crashing it with SWF files, it's not clear to me whether he means the other plugin is vulnerable - and if it is, could it be crashed with a DCR file?

  • The researcher gave Macromedia seven months to patch this before posting to bugtraq. I just goes to prove, if proof is still needed, that commercial vendors will not fix holes until they are being exploited on a massive scale.
    Yes, I know there are some shining exceptions. But I think that generally, unless a company has a clear track record of working with outsiders to fix holes in a timely fashion, anybody discovering an exploit should post it to bugtraq immediately. Vendors like Macromedia don't deserve the courtesy of advance notification, especially when it leaves huge numbers of machines vulnerable for months.
  • ...but I'm guessing that most users want pretty pictures with a minimal amount of useful information.

    Ah yes, the drooling morons theory, commonly held by cynical techies. The problem is I have yet to meet one of these drooling morons. The non-tech savvy people I've seen surfing the web are easily confused and intimidated by complex, flashing, javascript-infested sites. They like simple fast sites like Yahoo, and above all sites that make them feel in control.
    I agree there is some delta between the geeks and the normals - the normals seem to like one chunk of info per page, with clear navigation to access sibling, parent and child chunks of info. The geeks like lots of info on a page so they don't have to interrupt their info uptake for a page load.
  • You bring to mind a Greenspun quote (found here [arsdigita.com]:
    User is extremely bored and wishes to stare at a blank screen for several minutes while a flashing icon loads, then stare at the flashing icon for a few more minutes.
    Entertainment's great, as long as it's voluntary. When you hold someone's info hostage to your idea of entertainment, expect some hard feelings. Why not make a plain jane site with link "click here for some excellent graphics and entertaining animations". Then you know anyone downloading your art is doing it voluntarily.
  • Yes, that's obviously the perception of the decision-makers, but are the decision-makers right? We've just seen the death of many e-commerce sites built with that 'noisy flashy junky' philosophy, and while their business models certainly contributed, I think the sites actively drove users away. For example, boo.com must be the most extreme case of 'commerce-as-entertainment' and for a brief period after their launch, it seemed that everyone would have to 'catch up' to their 'immersive' web site. Then, of course, they failed miserably. I never managed to see their site - some combination of netscape crashing, slow connections and server-side flakiness.
    Who survived the e-commerce bloodbath? Amazon comes to mind - flashy perhaps, but info-rich with reviews and easy searching.
    It's worth remembering that most attempts to "cash in on those knee-jerk, primitive instincts" ended up losing money. Maybe people aren't as primitive as merchants think.
  • I have the same complaint. Ironically, this is part of what frames were meant to address - put the navigational links in a separate page, and reference that page. That way lynx-users know where to go for nav links, but don't have to look at them all the time.
    I'd like a smarter lynx, that could among other things collapse these navbars into something like a listbox, so it would become only one element to skip past when you don't want it.
    Re the unfriendly frameset issue, I wish designers would use something like:
    Welcome to greedy.com, your source for internet bargains. Click the
    nav frame to find your way around our site or the content frame to read the home page. We designed this site mainly for frames-enabled browsers, so we apologize for any difficulty you encounter in navigating our site.
    I think the invitation to upgrade your browser is a poor idea because most people running a non-frames browser in 2001 are probably doing it on purpose, and there's no sense driving visitors away to do some other task, after which they'll probably forget to come back.
  • If you overflow the buffer while running a flash movie THE MACHINE RUNNING IT CRASHES. Hence making it tough to 'sploit.

    Generically, that describes any buffer overflow exploit that hasn't been perfected yet. If a program has a buffer 100 bytes long with no checking, and I feed it a 10M string, it will almost certainly crash. My string will have overwritten part of the program with instructions the CPU probably doesn't like. With enough work, I can design a string that puts some properly written machine language in a location the program will call or jump to. Thus, I can execute arbitrary code with the same privileges as the program.
  • Actually, userspace processes cannot write to hardware. That's part of what it means for '386 and up chips to enter protected mode which is the mode in which linux runs. All of Unix security would be worthless if users could perform sector-level writes to the hard disk.
  • Not to mention that for most things crackers want to do with your small linux box, user privs are not required. The logical exploit would be a small program that daemonizes itself and changes $0 to something already prevalent in your process table like 'xterm -bg black -fg green'. Then the daemon would fire off a udp packet to evil hq summarizing the latest capture and do a 'stealth bind' to a high-numbered port, awaiting commands from it's dark master. Then your box is ready to be used as a DOS amplifier or an anonymizing springboard for various attacks. Given how linux users pride themselves on their uptime, the process could be around for quite a while.
  • Because, quite simply, you arent writing peices of foundation technology that are so widespread they qr3 worth trying to exploit.

    Its very different when you talk about commonly used net plug-ins and their technologies (Media Player, Flash, Active-X).

    What this proves at the end of the day was that the original Java Architects were 100% correct. Security has to be designed in by peopel who really understand it-- it cant be kludged on as an after-thought.
  • I'm just kind of wondering why Macromedia seemed to blow this off. Specifically does anyone have any word from Macromedia on this?
  • I take it no one else is disturbed that this list of "personal" peeves was lifted almost entirely from the old www.webpagesthatsuck.com site? [webpagesthatsuck.com]

    Not that it invalidates any of the points made, though...

  • Perhaps he mounted it from a Linux box running samba? ;)

    Rich

  • anything that says UNDER CONSTRUCTION

    What if the site is about something else that's under construction, such as a software package? What would a building construction company do?

    clear 1X1 pixel gifs used for spacing with alt tags that say "spacer"

    I agree here. Ditch the spacers except in Netscape 4.x which can't render CSS; even then, a spacer's alt tag should be alt=""

    don't use javascript to display text

    How do you generate dynamic content if you aren't paying big bux0r$$$ for access to a cgi-bin folder? The only way is through client-side EcmaScript or Java technology.

    websites that play music

    So are you saying that web-based interfaces to the Napster service are unacceptable? Sometimes, the music is the content, but I see your point when the music is there just for flashturbation[?] [everything2.com].

    websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.

    Even piece-of-crash Nutscrape 4.x?

    more than one animated gif on a page

    I agree here. Animation should be used with moderation; even then, it should be done using PNGs and EcmaScript (or MNGs in 6.0 browsers), not GIFs [burnallgifs.org].

    I'd like to add one more: right-click traps[?] [everything2.com]. See also the Right-Click Trap Shit List [8m.com].


    Tetris on drugs, NES music, and GNOME vs. KDE Bingo [pineight.com].
  • ...deserves the complaints from users they will get at the email address listed under 'feedback' on their page.

    I've tried to send complaints to some of these folks. Usually they don't have a feedback link. When they do, they never care that the page doesn't work. I usually send an email when the site doesn't work with javascript disabled. Often times it's just a pull-down list that jumps you to a certain part of the site automatically, and lacks a little "go" button next to it.

    They could not care less. When they do respond, it's usually "Javascript is required". One of the really good recent examples I recall is the search page at iwon.com [iwon.com]. If javascript is disabled, you get a blank page with only their logo in the corner. They didn't seem to care when I mentioned that every other search engine/portal works without javascript. If you're up for a challenge, try poking around at iwon.com's site to find an email address or feedback entry page. They obviously don't want to hear from their users.

  • The whole reason for my cheesy little site's existence goes *poof* due to one little statement:
    3. Hope the issue is addressed before someone writes something nasty.
    Until then, disable (remove) the Shockwave Flash plugin.
    Suddenly my potential audience goes from "90% of all Web-enabled systems" to "whoever's left that didn't disable the plugin"... sheesh.
  • Yep, it exists. [geocities.com]

    The player doesn't look like it is being actively developed, though maybe someone out there [mailto] is interested?

  • In the above, the programmer has allocated a 100 byte array for input of a number, but has called fgets to read a line of up to 200 characters. So a 101 byte line will overflow the buffer.

    See, this is why buffer overflows are common. People make mistakes on the end of the buffer. A 100 byte line will cause the overflow (\0 on the end)

  • or they'll just cancel the download.

    For things like PGP keys, you can issue a 'revocation certificate.' This is something that's generated from the private key and a user can look at it, look at your public key and see that indeed, you made the certificate and intend to say that "this key should no longer be used."

    For all practical purposes, without the private key it's impossible to forge such a certificate, in the same way that it's practically impossible to go backwards from a public key to the private one (without the resources of, say, the NSA or distributed.net).

    Given that with things like Windows and Flash, it seems inevietable that these programs are going to make contact with their makers occasionally (be it to check for updates, download banner ads, espionage or whatever), why not allow the parent site to send out a revocation certificate? If the software is designed to check for a certificate and refuse to function, then what might happen in this scenario is within the next few days, all Flash users receive a popup the next time they run Flash that says

    Techniques with make this version of Flash extremely vulnerable to having it's security compromised, have become widespread public knowledge. This version of Flash will thus refuse to function from hereon. Click here to download a new version.
    Given that this sort of thing will probably end up happening anyway for other reasons (ie forced obsolescence), why not put it to good use as well?
  • How many people who know how to exploit a buffer overflow and compromise a system while covering their butt(s) can make a Flash piece that will be perty enough for anyone to check out on a large scale?

    Isn't this unnecessary? I'm under the impression that Flash files get loaded automatically once someone already has the plugin. So all that's really necessary is creating a page that people will go to (porn works well) and placing the flash file in question on it.

    Or crackers could place the evil flash file on a popular web site in addition to or in lieu of the general vandalism that takes place.


  • You can use this problem to "execute arbitrary code stored in the SWF file".

    Uh-oh.

    Watch out for new Metallica versions of the Camp Chaos [campchaos.com] cartoons!

    "Hey! This is, like, you know, Lars Ulrich from Metallica, and we've got a few choice words on Napster. At this very moment, we're, like, deleting everything with an MP3 extension on, like, your computer. And, like, every filename with the word Napster in it. James learned Linux for you!"

    "Linux GOOD! Fire BAD! Napster BAD!"

    "Finally, like, we think you hackers and computer nerds that we used to beat up in high school are, like, pretty cool with us, 'cause, like, without you guys, we'd have had no clue, like, no fucking idea, like, how to stop all the money grubbers sharing our stuff with Napster. I mean, we put blood, sweat and motherfucking beers into our music!"

  • You are right, I think windows2000 users who are automatically logged in as "Administrator" should really de-install this player.
    --
  • I am sorry not to agree with you.
    I have designed dozen of websites and targetted my hand-made code to my test browser.
    I actually saw many differences according to the visitor's web browser except in one case : Fresco [ant.co.uk] is a web browser aimed at RiscOS [riscos.com] platforms.
    Whenever optimizing my code too look properly on it, it usually looked the same on all the popular browsers.
    Bottom lines : neither java nor javascript, nor SSL but in this case you can still choose another popular RiscOS browser such as Webster [demon.co.uk]
    Maybe there is a need for web developpers to learn to code in standard HTML, especially when I see the crap generated by most HTML-generators (yuk :-( ), which is only aimed at *one* browser (e.g. MSIE for Frontpage, NS for NS-editor, etc.).
    Finally, Fresco was developped for Oracle's Network Computer, which first prototypes were developped by Acorn [e-14.com].
    --
  • I'm afraid most windows2000 users are unable to set up this as it requires specific abilities that most of them don't have, as windows targets end-users.
    --
  • Your windows box has /dev/null on it? Buddy, I think you've already been exploited. Look around your room for a devious-looking smiling penguin.

    sig:

  • There still may be danger, even if you're running your netscape application as a dummy user. Since you have to grant that user access to your X display, there may be security faults/features in the X server itself to which you're now vulnerable.

    X authentication exists for a reason... if you override it, be sure you understand the risks :-)

  • Lots of free advertising would happen. Sure, many people would be disgusted and uninstall it. But more people yet would now recognise the brand and product name. And Macromedia?? They wouldn't have any penalty imposed on them. Basically a virus distributed through flash would only be of benefit to Macromedia. Look at any of the softwares that have had big viruses distributed through their use and I think you'll find that they are more widely used than they were before.
  • While the selection for Linux is limited to an old version of the plugin, there is at least one system with NO Flash plugin at all - AIX. I happened to be checking Slashdot on a quick break at work and found this discussion. If I hit one of these Flash sites I get a popup telling me I need a plugin, but then there ain't one. And at home, at least some of the "Flash" sites require the version 5 plugin (not available for Linux), or the "Shockwave" plugin (also not available for Linux).

    I agree with the KISS principle of website design. Maybe we'll be lucky - someone will exploit this bug, and then someone will sue Macromedia and they'll go bankrupt and there won't be any more FlashTrash. (Unfortunately if that happened, Micro$quish would buy them out and integrate Flash into Windoze - they could replace the "Active Desktop" with the "Hyperactive Desktop"!!)
  • ...to write a complicated, web-enabled package such as Flash and be sure you've removed every possible security bug from it? Of course not. There's no way to be certain. The chances are, every major Internet product - including IE, Netscape, Flash, will have more bugs exposed in it as time goes on. It's a fact of programming.

    Yet another argument for open source software...
  • Coupled with Perl::Flash [slashdot.org] covered on slashdot the other day, someone could do really cool stuff with this.

    A malicious website could say, gather information about a person's computer with an innocent looking form (this would be the nit-wit factor here) and use it to create an on-the-fly generated Flash animation that knows exactly what to do to nit-wit's computer.

    Or, with that previous Netscape JVM bug, generate a file-list from the user's computer, and then use the Flash plugin to delete/corrupt the exact location of files. This wouldn't even need the nit-wit factor.

    And like, I'm not very smart, so there must be way better ways to mess people up with this.

    And have I disabled flash? I'll do it tomorrow...

  • by Anonymous Coward on Wednesday January 03, 2001 @10:54PM (#532319)

    Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?

    Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.

  • by QuantumG ( 50515 ) <qg@biodome.org> on Wednesday January 03, 2001 @11:48PM (#532320) Homepage Journal
    err.. you're really lost in thinking that this code is being executed in the data segment but anyways, on x86 there is only READ_EXEC_ONLY, READ_WRITE_EXEC, READ_ONLY or NO_PERMISSIONS. You can't say READ_WRITE_ONLY which is the problem. If you want a data section that is read only then you can have that, but if you want a read/write data section that is not executable, sorry, that's not offered.
  • by fluxrad ( 125130 ) on Wednesday January 03, 2001 @10:26PM (#532321) Homepage
    so that's what the boys at gabocorp [gaborcorp.com] have been doing all along!

    those nefarious bastards!


    FluX
    After 16 years, MTV has finally completed its deevolution into the shiny things network
  • by yerricde ( 125198 ) on Thursday January 04, 2001 @06:57AM (#532322) Homepage Journal

    No, it is completely NOT necessary with css.

    Unless you're selling DVDs, you don't have to worry about CSS issues.

    Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter [pigdog.org] to remove the formatting for those who are behind Nutscrape.


    Tetris on drugs, NES music, and GNOME vs. KDE Bingo [pineight.com].
  • by sdriver ( 126467 ) on Wednesday January 03, 2001 @10:20PM (#532323) Homepage
    Many people havn't updated NS from the "Every web browser is a server with JAVA" security hole. So I doubt anyone will care.... :(
  • by Mold ( 136317 ) on Wednesday January 03, 2001 @10:29PM (#532324)
    The majority of users won't care if there browser has security issues. They have their browser, they may have had it set up for them, or they may just not want to download a newer browser; this, and most other browser security holes will be left open.

    The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.

    Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?
  • by squiggleslash ( 241428 ) on Thursday January 04, 2001 @03:10AM (#532325) Homepage Journal
    Usually buffer overflow exploits make use of the fact that the majority of them occur in dynamically "auto" allocated memory, memory allocated on the stack for a function's local variables. For instance:

    int getnextnumber(FILE *fp)
    {
    char line[100];

    fgets(line, 200, fp);
    return atoi(line);
    }
    (I may have got the parameters in the wrong order above, don't flame me, it's the principle that I'm trying to describe)

    In the above, the programmer has allocated a 100 byte array for input of a number, but has called fgets to read a line of up to 200 characters. So a 101 byte line will overflow the buffer.

    With most C compilers on most platforms allocate memory, the same stack is used to store the return address to jump to when the function has completed executing as the data itself. Therefore, a buffer overflow exploit needs to put code in the buffer, work out where that code will be when the function is executed, and overwrite the return address with the address of that code.

    It's not easy but a number of factors can help a hacker in this situation, usually that once compiled for a particular platform, on 32 bit platforms at least, the function will normally always appear in the same place in memory, and when the program is running, if you're careful about the conditions underwhich you feed it bad data, you can make a reasonable assessment as to where the stack will be when its called.

    The majority of UNIX hacks I've seen on the BugTrac lists are buffer overflow exploits, and from what I recall, they're the major ones the OpenBSD [openbsd.org] team are constantly on the look out for. So it's a real problem, and assuming the Shockwave overflow is predictable as described above (or requires little overflow anywhere else to overwrite code or a return address), it's credible someone might use it.

    So don't run Netscape as root. Unless you're a Windows 9X/Me user of course, where you don't have much choice...
    --

  • by Pope Slackman ( 13727 ) on Thursday January 04, 2001 @04:51AM (#532326) Homepage Journal
    The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).

    Hardly anyone who does Flash even knows about, let alone cares about Linux support.
    The two major consumer platforms are well supported (and exploited, now! ;),
    and Linux still holds a tiny amount of market share.
    Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
    simply because Netscape sucks SO much.
    (Konqueror, on the other hand, is really getting there. Even supports Flash. :P)

    IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.

    -Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.

    Once again, the average Flash author will prolly think 'X' is some pr0n reference.
    X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.

    The Flash player is definately a buggy piece of software, but I've had far less
    lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
    The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.

    --K
  • by Alex Pennace ( 27488 ) <alex@pennace.org> on Wednesday January 03, 2001 @11:34PM (#532327) Homepage

    I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.

    Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.

  • by Kalgart ( 127560 ) on Thursday January 04, 2001 @02:11AM (#532328)
    Well after a little searching I found where M$ hides shockwave for IE5.

    c:\windows\system\macromedia

    it's now been sent to /dev/null .....
  • by jesseraf ( 230545 ) on Wednesday January 03, 2001 @10:37PM (#532329) Homepage
    Here's the bugtraq id on securityfocus:
    http://www.securityfocus.com/bid/2162
    Cheers
  • by Black Parrot ( 19622 ) on Thursday January 04, 2001 @01:00AM (#532330)
    There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.

    When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.

    I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.

    [Writer crosses fingers hoping not to be the next person to publish one!]

    --
  • by poopie ( 35416 ) on Thursday January 04, 2001 @12:48AM (#532331) Journal
    Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.

    Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.

    Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.

    My personal list of website peeves:
    - Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
    - anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
    - clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
    - more than 2 frames in a page - on rare occasion, I can stomach two frames.
    - using javascript for something that could be done with standard html - don't use javascript to display text, for example
    - websites that play music - saw a sig on /. that said "If I wanted your site to make music, I'd have turned on the radio"
    - websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
    - websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
    - popup ads - did I ask you to open a window?
    - any site that says: "Welcome to my website" - duh!
    - more than one animated gif on a page

    there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
  • by QuantumG ( 50515 ) <qg@biodome.org> on Wednesday January 03, 2001 @11:57PM (#532332) Homepage Journal
    this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.
  • >My personal list of website peeves:

    Good list.

    My list of peves is very similar, but also includes click here [slashdot.org] links. When one glances at a webpage the links stand out. So one can usually just scan down and find the link one wants. But this doesn't work when the text that stands out is click here [slashdot.org], click here [slashdot.org] and click here [slashdot.org].

    click here [slashdot.org] for Slashdot,
    vs
    Visit Slashdot [slashdot.org].

  • by tinic ( 121416 ) on Wednesday January 03, 2001 @11:58PM (#532334) Homepage
    The flash player is one poor piece of engineering:

    -Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).

    -The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).

    -Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.

    -Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...

  • by mirko ( 198274 ) on Thursday January 04, 2001 @12:48AM (#532335) Journal
    It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
    alias nsnav = "su - dummy -c nsnav"
    alias nsmail = netscape

    launch the mail as usual or with the nsmail command and if you want to surf (see here [slashdot.org] why you would like to), just launch navigator with the nsnav command.
    Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
    --
  • by OblongPlatypus ( 233746 ) on Wednesday January 03, 2001 @10:33PM (#532336)
    Not saying this should make you discredit the entire report, but I found this quote sort of funny:
    By dumb luck, met a guy at a party who knew a guy who was the sister of a "senior manager" at Macromedia. Decided to hold off posting.
    (From the "reporting history")
  • by Calle Ballz ( 238584 ) on Wednesday January 03, 2001 @10:32PM (#532337) Homepage
    But I guess they feel that it is now a bigger threat. Maybe joecartoon [joecartoon.com] and killfrog [killfrog.com] have been rooting our boxes unsuspectingly for the last year, and they are not catching on.

    Oh well, my favorite resource [securityfocus.com] has some more information here [securityfocus.com]

The only difference between a car salesman and a computer salesman is that the car salesman knows he's lying.

Working...