Adobe Flash security hole

estevao · 2010-06-18 18:55:24

hokasch wrote:

Could you link an example, or is it every video/game? Not a single crash here, right click works fine, e.g. http://www.fastgames.com/pixellegions.html ("about" does not display anything though).
The only (minor) annoyance I could see so far is a rendering issue with embeded youtube, see here (grey box overlapping text):
http://omploader.org/tNG84YQ
It goes away with scrolling up/down or so.
edit: example from http://www.spreeblick.com/2010/06/18/guten-morgen-179/

I'm having this issue to. Very boring in some sites...

Last edited by estevao (2010-06-18 18:55:57)

lastchancetosee · 2010-06-19 11:09:18

Opera users should be able to use the 32bit-version directly, because Opera uses it's own wrapper anyway. Haven't tested it yet, first I'm trying Gnash and Lightspark. God, I hate Flash!

[edit1: Lightspark does not seem to work at all.]

Last edited by lastchancetosee (2010-06-19 11:20:41)

doorknob60 · 2010-06-20 07:45:14

I'm stickin' with the old one they took down Flash is already freakin buggy enough, and I've had so many problems with nspluginwrapper in the past, I never want to touch it again. Not to mention I don't want to install all those lib32 packages (I use a chroot instead, don't want to use 32 bit Firefox either...). I'll take my chances until they release a real native one...screw you Adobe.

cb474 · 2010-06-21 01:33:57

doorknob60 wrote:

I'm stickin' with the old one they took down Flash is already freakin buggy enough, and I've had so many problems with nspluginwrapper in the past, I never want to touch it again. Not to mention I don't want to install all those lib32 packages (I use a chroot instead, don't want to use 32 bit Firefox either...). I'll take my chances until they release a real native one...screw you Adobe.

I don't really understand the security hole in the first place. What is the real nature of the risk using the old version? How can if effect Windows, OS X, and Linux equally? In Linux with permissions, etc., shouldn't that prevent code running within flash from accessing the rest of the system? Or would something like No-Script in firefox prevent the problem? Can anyway please explain further? Thanks.

skottish · 2010-06-21 01:53:58

cb474 wrote:

doorknob60 wrote:
I'm stickin' with the old one they took down Flash is already freakin buggy enough, and I've had so many problems with nspluginwrapper in the past, I never want to touch it again. Not to mention I don't want to install all those lib32 packages (I use a chroot instead, don't want to use 32 bit Firefox either...). I'll take my chances until they release a real native one...screw you Adobe.
I don't really understand the security hole in the first place. What is the real nature of the risk using the old version? How can if effect Windows, OS X, and Linux equally? In Linux with permissions, etc., shouldn't that prevent code running within flash from accessing the rest of the system? Or would something like No-Script in firefox prevent the problem? Can anyway please explain further? Thanks.

Programs run part in user space and part at the root level. When 'code injection' breaches break a running program, the OS, whether Linux, Mac, or Windows, will drop down to its originating shell which has administrative access. Any attack from there has to be OS specific, but the attacker is now the 'owner' of the machine.

ataraxia · 2010-06-21 02:58:23

Apparently, the "hang on right-click" problem will be fixable by setting "dom.ipc.plugins.enabled=true" when Firefox 3.6.4 gets here. At least, that's what googling for "nspluginwrapper right click" implies; I haven't tested it myself. There's also a possibility that this fix only works with a specific Ubuntu build of Firefox - that's not clear to me.

Edit: now that we have 3.6.4, I confirm that this appears to work for me. The new default settings would be enough for the native version, but an nsplugin-wrapped version has a different name, so I still need to set the above key.

You can see the effect of this setting (not just for nsplugin-wrapped Flash, but for native Flash and other plugins) because you'll see a new process named "plugin-container". This is about sandboxing for plugins, and apparently Flash 10.1 requires being run this way, at least for right-clicking on it.

Edit #2: It's safer to only enable this sandbox for plugins that know how to run in it, so I suggest setting "dom.ipc.plugins.enabled.npwrapper.libflashplayer.so=true" instead of the key given above.

Last edited by ataraxia (2010-06-23 13:52:19)

Stebalien · 2010-06-21 04:07:39

skottish wrote:

Programs run part in user space and part at the root level. When 'code injection' breaches break a running program, the OS, whether Linux, Mac, or Windows, will drop down to its originating shell which has administrative access. Any attack from there has to be OS specific, but the attacker is now the 'owner' of the machine.

That may have been correct at one time with windows (AFAIK, this used to be a major cause of BSODS) but is no longer the case with any modern operating system. If it were correct any program would be able to "exploit itself" to gain root privileges. A program running as a normal user cannot overwrite memory of a program running as another user; the kernel simply does not allow it. The only exception to this rule is a security flaw in the kernel itself.

Last edited by Stebalien (2010-06-21 04:11:21)

cb474 · 2010-06-21 08:50:08

Stebalien wrote:

skottish wrote:
Programs run part in user space and part at the root level. When 'code injection' breaches break a running program, the OS, whether Linux, Mac, or Windows, will drop down to its originating shell which has administrative access. Any attack from there has to be OS specific, but the attacker is now the 'owner' of the machine.
That may have been correct at one time with windows (AFAIK, this used to be a major cause of BSODS) but is no longer the case with any modern operating system. If it were correct any program would be able to "exploit itself" to gain root privileges. A program running as a normal user cannot overwrite memory of a program running as another user; the kernel simply does not allow it. The only exception to this rule is a security flaw in the kernel itself.

Thanks for the responses. So if what Stebalien is saying is correct, then what is the risk with the flash security hole, to users running Linux? I still don't understand it. I'm not a developer or coder or anything, just an end user.

Stebalien · 2010-06-21 15:26:54

cb474 wrote:

Thanks for the responses. So if what Stebalien is saying is correct, then what is the risk with the flash security hole, to users running Linux? I still don't understand it. I'm not a developer or coder or anything, just an end user.

Flash, or anyone who exploits it, can do anything you can. It/they can steal/wipe all of your files, log key strokes, read your email, and run any program you would be able to run. It/they would also be able to edit your ~/.bash* files in your home directory; if you use sudo, it could alias sudo to 'bad program that steals your password'. The good news is that very few people would waste their time writing malware for desktop linux users.

Last edited by Stebalien (2010-06-21 15:27:17)

cb474 · 2010-06-21 20:13:50

Ah, okay. Thanks. That sounds bad. If unlikely.

IgnorantGuru · 2010-06-22 02:41:17

Another thing to keep in mind - IMO ALL versions of Adobe Flash (and other products) have backdoors and exploits available. I think they do this deliberately, frankly. If you look at their history, it is a continuous, unending stream of 'may allow execution of arbitrary code' bugs. They only fix the ones which are discovered, and then slowly.

So if you use Adobe, I recommend always using Flashblock so it only loads when you choose to see something. And regarding it stealing files, keep it running in some kind of a sandbox (I use a simple bash tool sandfox for this, but there are more involved solutions as well).

Like most Linux users I hate Flash, but if you want to use some parts of the web, sometimes it's required.

skottish · 2010-06-22 03:49:53

Stebalien wrote:

skottish wrote:
Programs run part in user space and part at the root level. When 'code injection' breaches break a running program, the OS, whether Linux, Mac, or Windows, will drop down to its originating shell which has administrative access. Any attack from there has to be OS specific, but the attacker is now the 'owner' of the machine.
That may have been correct at one time with windows (AFAIK, this used to be a major cause of BSODS) but is no longer the case with any modern operating system. If it were correct any program would be able to "exploit itself" to gain root privileges. A program running as a normal user cannot overwrite memory of a program running as another user; the kernel simply does not allow it. The only exception to this rule is a security flaw in the kernel itself.

My understanding of this stuff is pretty weak, so I'll err on the side of your knowledge. Articles like this though seem to me to point to it being real today even with fairly modern Linux kernels:

http://lwn.net/Articles/347006/

lastchancetosee · 2010-06-22 11:11:27

*** for Opera users ***
Don't bother with the bin32-flash*- and wrapper-packages from AUR and all their dependencies. Opera (maybe other browsers as well) uses it's own wrappers for plugins and can use i686-plugins directly.
Just eliminate all other flash-related stuff, download the current libflashplayer.so for i686 from Adobe and put it in /usr/lib/opera/plugins and you're good to go.

[edit: Wrong, thanks to slumslayer for pointing that out. You still need the lib32-stuff, but you do not need any kind of wrapper. 'lib32-flashplugin' from AUR will solve all your troubles]

Sidenote: The problem with clicks not being recognized in flash-apps can be solved be adding

export GDK_NATIVE_WINDOWS=1

to either the beginning of /usr/bin/opera or the beginning of /usr/lib/opera/<version>/operapluginwrapper, in case anyone (like me) was wondering.

Last edited by lastchancetosee (2010-06-22 16:04:55)

slumslayer · 2010-06-22 12:18:31

@lastchancetosee : it still need lib32-* stuff
Installing lib32-flashplugin and adding /opt/mozilla/lib/plugins to plugin path works fine without nspluginwrapper, thx for pointing it out

Last edited by slumslayer (2010-06-22 12:19:21)

rent0n · 2010-06-22 12:34:20

slumslayer wrote:

@lastchancetosee : it still need lib32-* stuff
Installing lib32-flashplugin and adding /opt/mozilla/lib/plugins to plugin path works fine without nspluginwrapper, thx for pointing it out

Really? Are you speaking about firefox? Could you share with us the exact steps to use lib32-flashplugin instead of nspluginwrapper-flash?
Thanks!

slumslayer · 2010-06-22 12:41:52

@rent0n : sry, I was speaking about Opera.

rent0n · 2010-06-22 12:50:17

slumslayer wrote:

@rent0n : sry, I was speaking about Opera.

Ah, ok!
I misunderstood because I've seen a path related to mozilla...

lastchancetosee · 2010-06-22 16:01:39

@slumslayer: You're right of course. I thought I'd removed the lib32-stuff as well (and was quite surprised that it worked), turned out I didn't on this machine. My bad.

Another thing: If you have Firefox & Opera installed, take care that Opera does not get coaxed into using the nspluginwrappered stuff - it doesn't work. If should be OK in Arch, with Ubuntu Opera used flashplugin-alternative.so as flashplugin, which is just a symlink to the wrapper, and failed horribly. Another thing to keep in mind, but - as I said - if should be alright in Arch.

I misunderstood because I've seen a path related to mozilla...

Opera by default checks for plugins in /usr/lib/mozilla/plugins and /usr/lib/opera/plugins, so it doesn't matter where you put them.

Last edited by lastchancetosee (2010-06-22 16:06:12)

athelas · 2010-06-22 18:23:40

I tried a different solution, but it didn't work, although I still think it should. I installed the MediaPlayerConnectivity-Plugin for Firefox. The Plugin gives the opportunity to open an embedded video in an external player. This works pretty fine with vlc (although it should work with other players as well), but not for Youtube videos. I don't really understand why, because vlc plays videos which I downloaded from Youtube. Does anyone have any experience with that?

ataraxia · 2010-06-23 13:53:11

I added the GDK_NATIVE_WINDOWS workaround, and the safest fix I know of for the "hang on right-click" problem, to the wiki.

rent0n · 2010-06-23 14:43:35

ataraxia wrote:

I added the GDK_NATIVE_WINDOWS workaround, and the safest fix I know of for the "hang on right-click" problem, to the wiki.

Great, I didn't know about the right-click fix. My current workaround was: do not right click!
I propose [wiki]Install_32bit_Flash_on_a_64bit_System[/wiki] should be merged into (or at least linked to) [wiki]Flash[/wiki].
Also it should be updated and simplified as it is ony necessary to install nspluginwrapper-flash from AUR (all the dependencies are automatically satisfied) and fix left and right clicks.
I would do that but I'm writing my master's degree thesis and I really don't have the time, sorry.

nixpunk · 2010-06-23 15:18:00

I had issues with nspluginwrapper-flash-prerelease from AUR, freezing on fullscreen (Hulu/Youtube/ETC). I switched back to nspluginwrapper-flash and that seemed to fix it. This has been one of the most frustrating issues I have had as a Linux user, in nearly 10 years.

Last edited by nixpunk (2010-06-23 15:19:19)

combuster · 2010-06-23 21:32:19

I'm using Epiphany with HTML5 YouTube extension - and man I don't miss flash at all... I can't even notice that it is gone. Sometimes youtube complains about flash player but i reload the page several times and html5 player pops up. No flash at all - finally

yiuin · 2010-06-24 15:40:37

combuster wrote:

I'm using Epiphany with HTML5 YouTube extension - and man I don't miss flash at all... I can't even notice that it is gone. Sometimes youtube complains about flash player but i reload the page several times and html5 player pops up. No flash at all - finally

What about sites like grooveshark/pandora? I wouldn't think those would work.

IgnorantGuru · 2010-06-24 17:35:24

combuster wrote:

I'm using Epiphany with HTML5 YouTube extension - and man I don't miss flash at all... I can't even notice that it is gone. Sometimes youtube complains about flash player but i reload the page several times and html5 player pops up. No flash at all - finally

How is it that Epiphany accomplishes this? Is it using a chrome plugin like IE does?

It really sucks the way Google is using HTML5 (or at least H.264) as a way to restrict and dominate rather than open, which was the original intention of HTML5. Do no evil - yeah right. I certainly don't trust any browser or plugin concocted by the likes of Google, the biggest info thieves around, regardless of how well it works. Might as well still be stuck with Adobe or Microsoft - they've just replaced one evil with another as far as I'm concerned.

Is there any open browser that can use H.264 youtube video that is non-Google/non-Chrome?

Arch Linux

#51 2010-06-18 18:55:24

Re: Adobe Flash security hole

#52 2010-06-19 11:09:18

Re: Adobe Flash security hole

#53 2010-06-20 07:45:14

Re: Adobe Flash security hole

#54 2010-06-21 01:33:57

Re: Adobe Flash security hole

#55 2010-06-21 01:53:58

Re: Adobe Flash security hole

#56 2010-06-21 02:58:23

Re: Adobe Flash security hole

#57 2010-06-21 04:07:39

Re: Adobe Flash security hole

#58 2010-06-21 08:50:08

Re: Adobe Flash security hole

#59 2010-06-21 15:26:54

Re: Adobe Flash security hole

#60 2010-06-21 20:13:50

Re: Adobe Flash security hole

#61 2010-06-22 02:41:17

Re: Adobe Flash security hole

#62 2010-06-22 03:49:53

Re: Adobe Flash security hole

#63 2010-06-22 11:11:27

Re: Adobe Flash security hole

#64 2010-06-22 12:18:31

Re: Adobe Flash security hole

#65 2010-06-22 12:34:20

Re: Adobe Flash security hole

#66 2010-06-22 12:41:52

Re: Adobe Flash security hole

#67 2010-06-22 12:50:17

Re: Adobe Flash security hole

#68 2010-06-22 16:01:39

Re: Adobe Flash security hole

#69 2010-06-22 18:23:40

Re: Adobe Flash security hole

#70 2010-06-23 13:53:11

Re: Adobe Flash security hole

#71 2010-06-23 14:43:35

Re: Adobe Flash security hole

#72 2010-06-23 15:18:00

Re: Adobe Flash security hole

#73 2010-06-23 21:32:19

Re: Adobe Flash security hole

#74 2010-06-24 15:40:37

Re: Adobe Flash security hole

#75 2010-06-24 17:35:24

Re: Adobe Flash security hole

Board footer