12:34 The less you know sleep tight or have enough pull information out of context | |
| Certainly does not surprise me one headlines such as "The fundamental bug Adobe Flash will not be fixed." Has both a yellow for a kilometer, and it is evident that the author has absolutely no clue about what exactly he wrote. The main thing is that there is «Adobe Flash» and negative connotation, a combination which, like Pavlov's dogs, a very active part Habrasoobschestva starts salivate. And in fact I am sure that most fellow commentators do not know that
But no, all the same ... AAAA BAG NEW FLASH does not correct as so PANIKAAAAA! 11 I'm with emotion looking at people like you, gentlemen. For your knowledge of a few, and you are in blissful ignorance. People in your life at some point understand the meaning of saying "The less you know - sleep tight." This "fundamental bug flash - not even a tip of the iceberg, as the underwater part of which you may not know, but want to yell at the same time. If you spend half a day and poryt internet / technical literature, you understand that danger, then in fact at every turn, the majority simply does not know about taking hardware and software for brick wall without any holes and cracks. This vulnerability is only part of a huge family Vulnerabilities Cross-site scripting, which has already closed a million and still so many left, just nobody special does not apply in this regard. XSS affected by almost everything that runs on the client. In the first place - Javascript, through which a hole prolazyat other client technologies: Flash, Java, sausage. Do you know about 101m way to cheat check downloaded files on a server? For example, it is possible to combine GIF + JAR (aka zip), PDF + JAR and this file will be valid pdfom and valid jarom at the same time? Did you know that in your browser still walk drafts through huge holes in security? Not to mention the heap of sites that are made by novices and too full of holes on all sides, and you trust them your personal information and credit card numbers. Did you know that there is full of ways to cheat Google, and even pull out your passwords even from corporations zladobra? Did you know that the saved passwords in elementary faerfokse out? Did you know that it is still not even the beginning of a huge list of vulnerabilities with which we live? Why do you then still alive? Yes, because you do not need anyone. Until needed. But why? I think we can unearth the root of all problems somewhere in the origins of the network itself, because the underlying protocols that have appeared in I'm afraid to lie any bearded year, it is not protected. Why? But who would argue that online banking will be done, it would be laughed right there. And then as needed, have patches to sculpt and invent all sorts of policy. P.S. With regard to fleshovoy of vulnerability, I was doing the same stealing cookies to bearded 2000kakom a year's forum, where you can upload flash. Nothing new there is not. P.P.S. Asked to explain how the vulnerability works. In short, XSS vulnerabilities are based on the implementation of someone else's malicious client-side code in the protected zone of the attacked domain. The security system is of the view that once something is done the domain example.com, then it is dear to him and could easily have access to all infe with this domain. It remains only to slip in some way malicious code. Read about XSS on the Internet. What we have in the article and how it applies to Flash. Applies as well as everything else, just behind the ears is energized for flash. So, I pour SWF on a site that allows you to do it. If you can not, then pretending to be something else fill the same SWF (as it is to pretend I will not write, because I'm afraid much lie and need to experiment). Accordingly, if the SWF is in the domain example.com in daddy uploads, it is considered native to this domain because Someone once suggested that if the content is in the public domain with the domain example.com, then only the admin site could put it in there (haha). Get my malicious SWF has access via JavaScript to the whole environment. If it still appears somewhere in the example.com without allowscriptaccess = never and allownetworking = never, then immediately gg. But the author of the above article shows that the SWF is on example.com and kakby is his mother, but called on the left URLu. That is, you Vasya sends a link-type Come here, you poke it and see the SWF, which has access to your kukam at example.com. Message is clear? Replace example.com to whatever you want, and panic. And after all, it is necessary to ship the stuff to the domain barahlo.example.com and already this will not work. | |
|
| |
| Total comments: 0 | |