Comments on: Block Rick!

By: hackademix.net » Upgrade Flash and Turn Off Acrobat, NOW!

hackademix.net » Upgrade Flash and Turn Off Acrobat, NOW! — Wed, 25 Feb 2009 14:40:14 +0000

[…] work-around suggested by the iDefense bulletin is bogus: as we already clarified a few times, FlashBlock can’t be relied upon as a security defense. The only reliable means to protect yourself against Flash-based 0 day attacks like these are […]

By: hackademix.net » Twitter JSON Hijacking Updates

hackademix.net » Twitter JSON Hijacking Updates — Tue, 13 Jan 2009 11:10:33 +0000

[…] upon for security: there are too many easy ways to circumvent it. More in general, Adblock Plus and FlashBlock, despite a popular superstition, can’t be considered security tools because they’re not […]

By: Fernando

Fernando — Mon, 25 Aug 2008 08:01:56 +0000

Am I the only one that clicked play? :)

Thanks for the hard work you put to make Firefox a more secure browser.

By: dolphinling

dolphinling — Wed, 11 Jun 2008 04:11:36 +0000

Gnash has a similar click to play feature by default, without needing an extension to add it. I wonder whether it adds any security benefit, or if it’s also "just for annoyances".

By: Giorgio

Giorgio — Mon, 09 Jun 2008 18:19:52 +0000

@Aerik:
Every single web page can log your keystrokes, as long as it can run JavaScript to attach a document-level keyboard event listener.

By: Aerik

Aerik — Mon, 09 Jun 2008 17:46:54 +0000

Huh. I had just updated my flash and shockwave, too.

Anyways, I just learned something pretty damned interesting. Apparently the Konami Code Works on Google Reader. Read here: http://blogoscoped.com/archive/2008-06-09-n29.html

Disturbing that it technically has to log your keystrokes for this to work? I tried it, it’s all true. Go to google reader, do up up down down left right left right b a [enter], and it hapens.

By: William Vambenepe’s blog » Blog Archive » Taking control of the Flash player

William Vambenepe’s blog » Blog Archive » Taking control of the Flash player — Mon, 09 Jun 2008 17:34:38 +0000

[…] 2008/6/9: Looks like Flashblock can be circumvented (in a way that my more basic FF vs IE setup cannot). BTW, I closed comments on this entry because […]

By: Gijs

Gijs — Sun, 08 Jun 2008 23:06:08 +0000

I’m not a security buff by any means, but to reply to .mario’s point, doesn’t the IMG tag allow pretty much the same thing? I’m not sure why you’re ascribing special powers to OBJECT when all you do is tweaking your way into parsing fixes, which I would guess apply to pretty much any element.

By: Giorgio

Giorgio — Sun, 08 Jun 2008 15:02:19 +0000

@Marcin:
FlashBlock is actually much more accurate and sophisticated than a GreaseMonkey script, and its latest versions deploy techniques very similar to those implemented by NoScript: while I do know a couple tricks to execute frame 0 ActionScript despite FlashBlock, the 1 second delay you observed doesn’t exist anymore.
The point is that FlashBlock, as an annoyance blocker, can afford a known failure margin, provided that it still works in the most common and intrusive cases, for instance ads.
The problem is when people start thinking at FlashBlock, and adblocking in general, as a security feature: every easily reproducible work-around like this becomes a vulnerability, in a security context.

By: Marcin

Marcin — Sun, 08 Jun 2008 14:07:58 +0000

Girorgio, I’m with you and Andre on this. I don’t use Flashblock because essentially, it’s implemented the same way a Greasemonkey script is. I use NoScript for its Flash blocking capability in addition to script whitelisting.