Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Broken security model (Score 2, Interesting) 355

Off the top of my head, here are a few possible changes:

1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)
2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.
3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.
4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)

Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.

Comment Re:Client or server? (Score 1) 355

If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone.

And if you allow me to upload a zip file to your site, will you strip out the swf file that's prepended to it? This is key: It's still a perfectly-formatted zip file.

You may start checking for prepended swf files now, but you sure as hell weren't yesterday.

How exactly is this FUD?

Comment Re:Uploading a swf with a jpg extension? (Score 1) 355

Browsers do use MIME type to decide on the parser, except with embed tags, where they use the content-type attribute of the embed tag to decide which plugin to invoke.

The plugin, in turn, *should* check the MIME type to determine whether the file it's loading is valid. The Flash plugin does not.

Comment Re:OH NO!!! (Score 2, Insightful) 355

On the other hand, the more arcane the attack, the less likely it is to get fixed, and so the more websites remain vulnerable. The end result is that an attacker well-versed in a variety of obscure attacks can find a way into just about everything.

This one, though, does affect an awful lot of sites- it's rare to find a site that doesn't allow users to upload some kind of file. The impression I get is that image uploads may be more or less simple to validate, but most other filetypes aren't.

Comment Re:Broken security model (Score 4, Insightful) 355

If you can write an SWF that can be executed to compromise a website, despite the fact that it looks like, acts like, and in fact is a valid MS Word document, I'd call that a problem.

Your JAR example is actually a pretty good one... as TFA mentions, a similar attack with JAR files that looked like GIFs came out in 2008. Sun fixed their plugin.

Comment Re:Why does a login form need CSRF protection? (Score 3, Insightful) 355

In this case, it was used to log the user into the attacker's account, which contained the malicious SWF uploaded as an attachment. If the user then logged into gmail (the video uses a registration email to prompt the user to do so), his account would be compromised.

In Gmail's case, there are other privacy consequences to the login CSRF. For example, if the user is logged into an account that I have access to, I can actually view his google search history.

Comment Re:Uploading a swf with a jpg extension? (Score 3, Informative) 355

You'd think so, but you'd be wrong. Embedded content can specify the content-type in HTML (in order for the browser to know what plugin to use to load that content), and Flash trusts that declaration, not the content-type supplied by the server. A properly-designed plugin should trust the server, not the HTML that calls it.


Submission + - Adobe Flash Vulnerability Found - Adobe Won't Fix (foregroundsecurity.com)

An anonymous reader writes: Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems (see this story: http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_sites_users_at_risk_say_researchers )

Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.


Submission + - SPAM: Hackers claim $10K prize for StrongWebmail breakin 2

alphadogg writes: Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, "if someone did it, we'll kind of put our heads down," he said.
Link to Original Source

Slashdot Top Deals

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman