The latest Flash vulnerability and monoculture

[Perry E. Metzger]

This is purely about security, not on crypto.

For those of you not in the know, there is an exploitable hole in
Adobe's "Flash" right now, and there is no fix available yet:

http://www.adobe.com/support/security/advisories/apsa09-03.html

(See also:
http://www.us-cert.gov/cas/techalerts/TA09-204A.html )

The responsible thing would be to advise everyone to turn off flash
until Adobe comes up with a fixed binary, but of course, if they did,
large numbers of companies -- from the obvious Youtube and Hulu to the
less obvious business down the street that uses Flash to handle their
video catalog -- would be screwed. (Instead, of course, just about
everyone out there with a web browser is screwed.)

This highlights an unfortunate instance of monoculture -- nearly
everyone on the internet uses Flash for nearly all the video they watch,
so just about everyone in the world is using a binary module from a
single vendor day in, day out.

This is a bit of a wakeup call -- the use of standards based
technologies to deliver content to users would likely have led to
multiple implementations being in wide use, which would at least
mitigate such problems.

It would also help quite a bit if we had better encapsulation
technology. Binary plug-ins for browsers are generally a bad idea --
having things like video players in separate processes where operating
system facilities can be used to cage them more effectively would also
help to mitigate damage.

(By the way, for those that aren't aware, because recent versions of
Acrobat Reader include the ability for PDFs to embed Flash, you are
better off reading PDFs with third party PDF readers.)

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com