dcsimg
A Flash Developer Resource Site

Results 1 to 5 of 5

Thread: Flash poses a network security risk???

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    I recently came across the following accusations aimed at Flash by some system administrators used as a rationale for disallowing the publication of Flash content within their network. Has anybody heard of this? Anybody know where they got their information? Does anybody know whether there's any truth in them? Any help would be appreciated:

    "There are two security issues that are of great concern.
    A.) A buffer overflow in Flash.OCX could allow an attacker to run code of their choice on a vulnerable system when a user reads an HTML.
    B.) Flash SWF content can allow malicious users of web sites that allow users to upload or include SWF content to get access to information (cookies, etc) that they aren't supposed to have access to. This can include system files stored on the hard drive, and or system passwords should they be saved in cookie files."

  2. #2
    Senior Member
    Join Date
    Jul 2000
    Posts
    5,087
    A. Fixed as of version 6, revision 29. The Flash OCX does not activate when you create read a HTML but rtaher when It reads a SWF. Now MSIE has over 21 unpatched and known security holes like this... http://www.pivx.com/larholm/unpatched/ so using his own logic everyone should imediatly remove IE from their systems. Are you using a NON-MSIE browser??? Probably not...
    Upgrading to the latest version of the Flash Player corrects this.

    The Flash 5 Standalone player had security issues related to FS Commands in it that have been fixed since MX.

    B. Was true but I'm pretty sure it was fixed with the latest version of the Flash player and MM posted an intermediate fix on their web site. Again Upgrading to a newer version of the player fixes that.

    Now those 21 unpatched MSIE holes- Upgrading does nothing for you...

    Here: http://www.macromedia.com/v1/developer/SecurityZone/

    [Edited by johnie on 08-07-2002 at 01:27 AM]

  3. #3
    Senior Member
    Join Date
    Oct 2000
    Location
    2006: Thika, Kenya
    Posts
    955
    But of course it was probably an MCSE who complained about the Flash security issues.....





  4. #4
    Senior Member
    Join Date
    Jul 2000
    Posts
    5,087
    Probably was

    Anyhow I dug around for you and indead Flash Player 6 R 40 and higher correct the Cookie issue.

    The Links are here: http://www.macromedia.com/support/fl...player_r40.htm

    and

    here: http://www.macromedia.com/support/fl...ipt_access.htm

    So that one has been fixed,

    Now if MS could only fix MSIE


  5. #5
    Junior Member
    Join Date
    Jul 2002
    Posts
    8

    Thanks people!

    Thanks for sharing your thoughts and efforts regarding this. I'm passing your info along to the tech people in hopes that they change their mind on using Flash.
    Thanks again!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center