Adobe Flash 10 does NOT stop malvertizement hijacking

Adobe Flash keeps its title as the "Typhoid Mary of the Internet".

Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks.

You can read all about it here:
http://www.bluetack.co.uk/forums/index.php?s=f3bfcacbac0c1eba459283546fb127e9&showtopic=18064&st=150&p=89649&#

"A perfect Flash file is the one that is never loaded by your browser."

"In my eyes the "clipboard jacking" is a minor issue, when you paste some text into your browser, post, blog, document ... you never review what you did write? Redirects are still working, whether they lead to fake online scanners or download an executable. So what has changed ... NOTHING."

Ok, come on Adobe - when are you going to give us a way to turn redirects off ???  There are articles on this blog evidencing the use of crossdomain.xml dated August 2007, and you can be sure that the bad guys were using it before then - it is not a new trick.

Please excuse me while I repeat what I wrote back in February of this year.

"Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site."

Yes, the changes to Flash mean that "the meta-policy default will change from "all" to "master-only" but seriously, what difference does it make?  The moment that a Flash SWF redirects a victim to a domain controlled by the bad guys, the victim is at the mercy of the criminal because "all master policy files (any policy file saved in the root of the domain with the name crossdomain.xml, such as hxxp://example.com/crossdomain.xml) [will] continue to function as expected".

Published Tue, Oct 21 2008 9:11 by sandi
Filed under: ,

Comments

# re: Adobe Flash 10 does NOT stop malvertizement hijacking

Wednesday, October 29, 2008 10:47 PM by jim

thanks for info on flash

confirms my assessment of flash as a nasty parasitic maggot

flash aka macromedia aka adobe aka a dirty thieving ubiquitous insinuating piece of virus infected excrement

# re: Adobe Flash 10 does NOT stop malvertizement hijacking

Thursday, November 20, 2008 1:30 AM by Chuck

Flash 9 was not THAT bad- but, from the day that Flash 10 entered my life- my online time has suffered DRAMATICALLY!

I turn it off and there's no toggle to turn it back on- so it's been reloaded 4x with no improvement of performance!

ADOBE-- What are you doing?!

There is no way to retrieve my Flash 9 now-

just because it is free sofware doesn't mean that you can offer a LAME PRODUCT!

COME ON!!!

What EVER.

Jerks.

Ok-- thanks for letting me vent!

~Chuck

# re: Adobe Flash 10 does NOT stop malvertizement hijacking

Thursday, November 20, 2008 2:01 AM by sandi

@Chuck

IE8 crashes regularly on my system since installing Flash :(

# re: Adobe Flash 10 does NOT stop malvertizement hijacking

Thursday, November 27, 2008 12:40 AM by zed

Every time I run This Turd... Flash Player 10, My power Options Shutdown for Windows Stops Functioning, and I Have To Restart My PC To Return to Normal Auto Shutdown Function...

I Have Tried Everything to Fix... Damn You Adobe, Wish I Never Updated from Flash 9

# Mr

Tuesday, January 06, 2009 2:37 PM by Mike

Since installing flash 10, my flashplayer and god knows what else, now belongs to inane porn pushers. I will now flush all flash/adobe related products from my system, regardless of labour, cost, or consequence. I advise you all do the same. FLUSH THE FLASH!

# re: Adobe Flash 10 does NOT stop malvertizement hijacking

Friday, January 22, 2010 7:56 AM by Rich

You think the bad guys are the biggest part of the problem? Take a good look at the Adobe Updater feature of their flash player!!! I don't trust Adobe as far as I can throw it.