Archive for June 8th, 2008

If you're a FlashBlock user, you may feel outraged by being brutally rickrolled this way, but you need to know that it could happen at any moment.

No special trick, just a Youtube movie embedding through a plain

<object>

HTML element. Examine the source code if you don't believe it:

<object width="300" height="242" data="http://youtube.com/v/A3_n0B1EaOY"> </object>

Not a big deal, really, if you consider FlashBlock a "noise reducer": it does a great job, in facts, working almost always.

A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley...

To be fair, you would be in good company:

If they just looked at FlashBlock's FAQ, they would have found that the word "security" is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.

Dancho is especially inexcusable, since he's the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.

Oops, I couldn't block my own rant :)

Bad Behavior has blocked 559 access attempts in the last 7 days.