Flash as spyware

Bill McGonigle bill at bfccomputing.com
Mon Apr 3 18:31:01 EDT 2006


On Mar 29, 2006, at 09:58, Ben Scott wrote:

> On 3/29/06, Bill McGonigle <bill at bfccomputing.com> wrote:
>> Hey, if you're a popular website you could use Flash to store an
>> offsite copy of your enterprise backup in your users' Flash cache!
>
>   You could do that with HTTP cookies, too.

4K vs 100K; well-known management tools vs. obscure website.  Education 
would definitely help (thanks, Dr. Sconce!).

So far, volvokeene.com is the only site to go over the cookie-size 
convention on my system.  They stored 13K of something on my computer.  
I talked my sister into a Subaru anyway.

>   Flash cookies are limited in size.  I'm not sure exactly what the
> limits are.  I don't think you should send *that* much data.

Looks like 100K is the default - 'unlimited' is the max.  I found it 
interesting they also have a preference to control when a website can 
use your microphone and webcam via Flash.  Gawsh, I hope that prefs 
code isn't buggy!

>   See also:

thanks, great links

>> ... install spyware.
>
>   I'm curious about this one.  Source?

Forget where I read that - maybe SANS.   Here's an article which 
doesn't explicitly state it, but you have to assume spyware attackers 
will chose not to exploit this vector for it to mean anything else:

   http://www.securitypipeline.com/181504092?CID=rssfeed_pl_scp

>   I also don't like sensationalizing problems that are really not all
> that new to the computer world, or unique to Flash.

No, but most people think because IE and/or Firefox is auto-updating 
security patches they're covered for browser security.  Something like 
Flash doesn't really fit into the realm of what, say, Firefox Update 
can handle.  Microsoft Update or Mac Software Update have the necessary 
tooling but neither are open platforms.  Fortunately more enlightened 
operating systems have this solved already:

   http://macromedia.mplug.org/

>> I'm interested in what happens to the SVG/Flash rivalry now that Adobe
>> owns Macromedia.
>
>   As a guess, I'd say we could expect Adobe to sue people for reverse
> engineering Flash.  :-(

SWF is an open standard (as well as SVG).  All they can do is change 
the SWF license and sue us out of existence over patents on future 
versions.  IIRC, SVG is a W3C standard now so they don't have that 
option on SVG.  I don't know who acquired who, politically.  I was 
hoping they'd make Flash render SVG and put the Flash advantages on an 
SVG 2 track:

   http://www.carto.net/papers/svg/comparison_flash_svg/

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf




More information about the gnhlug-discuss mailing list