Adobe Flash 10 does NOT stop malvertizement hijacking
Adobe Flash keeps its title as the "Typhoid Mary of the Internet".
Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks.
You can read all about it here:
"A perfect Flash file is the one that is never loaded by your browser."
"In my eyes the "clipboard jacking" is a minor issue, when you paste some text into your browser, post, blog, document ... you never review what you did write? Redirects are still working, whether they lead to fake online scanners or download an executable. So what has changed ... NOTHING."
Ok, come on Adobe - when are you going to give us a way to turn redirects off ??? There are articles on this blog evidencing the use of crossdomain.xml dated August 2007, and you can be sure that the bad guys were using it before then - it is not a new trick.
Please excuse me while I repeat what I wrote back in February of this year.
"Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site."
Yes, the changes to Flash mean that "the meta-policy default will change from "all" to "master-only" but seriously, what difference does it make? The moment that a Flash SWF redirects a victim to a domain controlled by the bad guys, the victim is at the mercy of the criminal because "all master policy files (any policy file saved in the root of the domain with the name crossdomain.xml, such as hxxp://example.com/crossdomain.xml) [will] continue to function as expected".