Universal XSS 0day in Adobe Flash controlled users’ Web accounts:

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

I was already preaching this four years ago: the more our assets move “in the cloud”, the less traditional security measures, meant to protecting just your local system, suffice.

The battlefield is the web now, and there’s no coming back…

4 Responses to “Sandboxes are Overrated (Told You 4 Years Ago)”

  1. #1 Thrawn says:

    The really interesting part is when people claim that NoScript is overkill/paranoia if those traditional measures are in place. Wonder how many of those people get likejacked?

  2. #2 Krzysztof Kotowicz says:

    True dat! Web attacks are becoming much more attractive, as the Web stores many jewels nowadays. And with the power the Javascript is given in today’s browsers, XSS will soon be a threat #1 for many of your assets.

  3. #3 Jonathan says:

    I think the developers of JavaScript are the ones collectively who enable it to become too powerful. If something is not broke do not fix it and for many things HTML sufficed. Furthermore, JavaScript conflicts with screen readers which extremely irritates me at times [e.g. Blogger’s new optional new interface]. People just need to stop developing these web-empowering programming languages because people can do without them.

  4. #4 Tom T. says:

    I don’t have a pulpit, but I’ve been preaching for years to keep your stuff to yourself and out of the cloud as much as possible. But everyone embraces "let someone else do it for me"….

    Also, sandboxes included in specific apps surely aren’t as effective as OS-based sandboxing of the entire browser? — even though the latter is also far from perfect, and therefore should be mixed with NoScript, RequestPolicy, and, d’oh, Safe Hex: Don’t do your online banking without closing and restarting your browser (configged to dump everything from the browser and the surrounding sandbox); do the same after banking; and don’t allow permanent cookies, offline or DOM storage, etc. — EVER.

    For the real tinfoil-hatter, don’t run Flash while you’re logged into anything you care about, even insecure email. (And use secure email - in a stand-alone browser window — for stuff that really matters.)

    Nothing will ever be 100% safe, but those mitigations would defeat a lot of these and future attacks.
    IMHO. YMMV.

Bad Behavior has blocked 3606 access attempts in the last 7 days.