Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: adobe.com important subdomain SQL injection again!
From: John Jester <watermonk () devout com>
Date: Sun, 19 Dec 2010 22:32:38 -0500

Regarding appeal to futility.

Flash has it's own programming language in it. On every OS. On i686, amd64 and now ARM. It stores your data in a local 
db. It's on every web page.

How could you ask for more attack vectors?

Sandboxing the plug-in from your system fixes it I believe. It's so futile sandboxing it was key.

And security, hell a multi-billion dollar company can't keep it from gobbling up 100% cpu in some instances. Huge note: 
over the years has been massive improvement in both performance and security.

It's not hopeless or futile, but come on, it's like the titanic.





-----Original Message-----
From: Marsh Ray <marsh () extendedsubset com>
To: Victor Rigo <victor_rigo () yahoo com>
Cc: full-disclosure () lists grok org uk
Sent: Sun, Dec 19, 2010 8:32 pm
Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again!

On 12/18/2010 05:30 PM, Victor Rigo wrote:

Let's see, flash is:

- Cross-platform

- Cross-architecture

- Has it's own programming language

- Is embedded on websites

- Access to javascript to popup, local caches, etc.

Not on my machine?

It's not ineptness, it's what you get when you right software that can

actually do stuff.

Adobe comes from a time when you could write PC software without caring 

about security. Yeah, it was a heck of a lot easier to write just about 

anything back then because it was well and proper that anything could do 


Nowdays, the first questions after "hey our software could do this" must 

be "but should it do that? What else could someone leverage that new 

capability to do? How does it combine with every other feature in our 

app or even on the whole platform? What if somebody does it repeatedly 

in a tight loop? With pathological inputs?" and so on. These questions 

take a long time to answer.

So if a vendor is known for "letting app developers do more stuff" and 

not also known for "letting users control what stuff gets done on their 

own machines" then they are laggards, not leaders, in my view.

If Java applets were still the hip thing, you'd see the same thing about


There's undoubtedly some truth to that. But at the same time, it doesn't 

seem like a useful line of reasoning:

* It's still not an argument for using Flash.

* That Java plugins have had chronic security bugs doesn't mean that 

Flash doesn't suck too.

* You seem to imply that you don't think that Adobe is likely to secure 

Flash any time soon. You're not saying "Adobe will secure Flash in the 

next patch and then it will be great." But you listed all the great 

stuff it does, so I have to think you would have said something like 

that if you believed it. You may be making Flash look worse than it is.

* It's basically an "appeal to futility" argument: no one could make a 

development platform and browser plugin that is significantly more 

secure (or does a better job of managing the security vs. "doing stuff" 

trade off) so therefore we should accept the status quo. That's why it's 

not useful: it gives no guidance on directions in which to improve.

Personally, I kind of like Flash. It gives me a single kill switch for 

90% of the useless blinking crap and popups on the internet. Flash is a 

really appropriate name for exactly what I don't want to see on a web 

page. I hope it remains the platform of choice for those who develop 

such things.

- Marsh


Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]