Comments on: Yet Another Adobe Flash and Reader 0 Day

By: Gary Thompson

Gary Thompson — Fri, 06 May 2011 19:04:09 +0000

Chrome always appears to have a problem with adobe flash releases and also adobe air .. pity, ‘cos I love the browser and prefer it to Firefox

By: Giorgio

Giorgio — Mon, 18 Apr 2011 07:10:46 +0000

@Dan: Allow Scripts Globally + NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well is what you want.

By: Thrawn

Thrawn — Mon, 18 Apr 2011 00:28:52 +0000

@Dan: You’re right, NoScript is designed to block scripts first (hence the name), plugins second. Blocking only plugins isn’t really the objective.

That said, if you’re concerned enough to block Flash by default, then it might be worth making the effort to selectively enable JavaScript too. It’s at least as dangerous, possibly more, given how widely it’s used to launch attacks.

By: Dan

Dan — Wed, 13 Apr 2011 17:15:47 +0000

I switched from Flashblock to NoScript last time you explained why it was better for blocking plugins. I’ve stuck with it, but it does have some issues.

I can’t work out how to enable JavaScript globally, but block plugins globally, and yet whitelist some pages.

I.e. the use case "block Flash on all pages except this one" is not possbile without disabling JavaScript globally, which Flashblock users probably don’t want, otherwise they’d be using NoScript already. Let me know if there is a way to do this.

By: Giorgio

Giorgio — Wed, 13 Apr 2011 07:48:50 +0000

@Giovanni Bajo:

Aren’t the problems you mention fixed through the PPAPI?

No they aren’t. PPAPI’s scope is entirely different, and as long as plugins like Flash (which can do low-level TCP networking and has access to web context) exist, you can’t fix them but just mitigate.

By: Giovanni Bajo

Giovanni Bajo — Tue, 12 Apr 2011 14:18:49 +0000

@Giorgio: well, I’ve seen many malwares that exploit OS-level tricks to inject trojans, so I wouldn’t call it overrated (after all, there are so many ready-to-drop payloads around). Chrome is the only browser that prevents this today, so I think it’s a good step forward. I concede it’s not enough.

Aren’t the problems you mention fixed through the PPAPI? Chrome is currently deploying PPAPI support for its embedded Flash plugin (as we speak, it’s available in dev builds under an about:flags).

By: Giorgio

Giorgio — Tue, 12 Apr 2011 13:37:30 +0000

@Giovanni Bajo:
Sandboxes are overrated.
A sandbox just means that the malicious code can’t (theoretically, pending sandbox bugs) write to/read from the local filesystem and perform other “privileged” actions which a browser can perform but a web page cannot. On the other hand, just by controlling the Flash Player itself and the content process (without accessing local resources) an attacker can take control of your assents “in the cloud”: for instance, it can navigate your online bank account and steal your credentials, either by waiting for the password manager to fill in the details or by using your session cookies if you’re already logged in.

By: Giovanni Bajo

Giovanni Bajo — Tue, 12 Apr 2011 12:04:56 +0000

Flash is sandboxed in Chrome, so it’s probable that it’s not exploitable in there as well.

By: Giorgio

Giorgio — Tue, 12 Apr 2011 11:37:38 +0000

@john:
Where did you read it?
Adobe’s advisory explicitly mentions Chrome’s “special” version number, and since Chrome ships with its own private Flash Player there would be no reason if this wasn’t browser-exploitable.

They’re probably playing on the ambiguity due to reported incidents being targeted attacks through email attachments (Microsoft Office documents with embedded Flash content), but this doesn’t rule out browser attacks at all.

By: john

john — Tue, 12 Apr 2011 10:58:16 +0000

I’ve read this vulnerability is exploitable through Word documents, not browsers