If you’re a FlashBlock user, you may feel outraged by being brutally rickrolled this way, but you need to know that it could happen at any moment.
No special trick, just a Youtube movie embedding through a plain
HTML element. Examine the source code if you don’t believe it:
<object width="300" height="242" data="http://youtube.com/v/A3_n0B1EaOY"> </object>
Not a big deal, really, if you consider FlashBlock a “noise reducer”: it does a great job, in facts, working almost always.
A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley…
To be fair, you would be in good company:
- Slashdot, whose “flashblock” tag is attached to all the most recent Flash security horror stories
- US-CERT (United States Computer Emergency Readiness Team)
- F-Secure, the antivirus company
- Dancho Danchev, renowned security expert and Zero Day ZDNet blogger
If they just looked at FlashBlock’s FAQ, they would have found that the word “security” is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.
Dancho is especially inexcusable, since he’s the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.
Oops, I couldn’t block my own rant :)