13.3 Flash and Shockwave

only for RuBoard - do not distribute or recompile

13.3 Flash and Shockwave

Macromedia's Flash and Shockwave plug-ins offer yet another form of rich media for many web designers. Both of these systems are designed to allow web designers to create complex animations that can interact with the user. Programs written in Flash and Shockwave can display graphics, read the mouse, have the user fill out forms, and control the web browser.

Conceptually, Flash and Shockwave are similar to Java in that these systems use bytecode that is downloaded from the web site to the computer and run with a special plug-in or "player." Their security is supposed to come from the fact that there is a limited repertoire of commands available to Flash and Shockwave programs. Unfortunately, the security is somewhat compromised by the lack of peer review for these proprietary products.

Consider the Macromedia Shockwave plug-in. In January 1997, Simson learned that the Shockwave plug-in contained instructions for reading and writing directly to the filesystems of the computer on which the web browser is running. This would seem to be a security problem. So Simson contacted Macromedia, spoke with an engineer, and was told that the Shockwave plug-in could only read and write to files stored in a particular directory in the Shockwave folder. The engineer said that Macromedia had been very careful to ensure that the plug-in could read and write to no other files on the system. The engineer further said that there was no way to use the system to store executable files.

Then on March 10, 1997, David de Vitry posted a message to the Bugtraq mailing lists that said the Shockwave plug-in could be used to read email messages stored in the Netscape mail folders. Apparently, the Shockwave GETNETTEXT command can read from many different folders located within the Netscape directory, rather than only from Shockwave "preference" files. Reportedly, this Shockwave bug also affected Macromedia's plug-in with Internet Explorer.

Macromedia said that it would be issuing a bug fix. Unfortunately, there's no way to know whether or not other security problems are lurking and misunderstood by the company's own engineers. This is true for every plug-in, not simply Macromedia's. However, because the Macromedia plug-ins are exceedingly widespread, a flaw that is found with them can directly compromise the security of millions of individual computers.

only for RuBoard - do not distribute or recompile


Web Security, Privacy & Commerce
Web Security, Privacy and Commerce, 2nd Edition
ISBN: 0596000456
EAN: 2147483647
Year: 2000
Pages: 194

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net