Flash, 64bits, Firefox, and Flashblock
 

Adobe was kind enough to release new versions of Flash to deal with the recent 0day exploit which is all fine and good except they didn't release a 64bit version. As a matter of fact the 64bit alpha is no longer available for download and their forum for the 64bit version has been set to read-only. Thanks guys.

I'm using Slackware64 13.1. I began the process of getting nspluginwrapper working with the 32bit plugin but decided that it wasn't worth the hassle. Rather than just dump Flash altogether, am I making my box "safe enough" by using the Flashblock extension for Firefox? Obviously, sites still can sniff for the Flash version, but nothing will be displayed unless I click on it. Basically I'd only be using it for stuff like YouTube and a few other major sites that should be trustworthy.

Thoughts?

I wasn't impressed with the 64bit flash player anyway so I just used Eric's multilib packages and installed 32 bit browsers and 32 bit flash. It worked better anyway.

IIRC the vehicle is a .swf or a .pdf with a .swf payload and the exploit requires Javascript to work. If that is the case then using a Flash blocker will not mitigate the exploit but only narrow down chances to where you'll be allowing Flash.


Ask yourself what it exactly is that makes those sites trustworthy in your opinion.

Because of the sheer volume of traffic and the likelihood of lawsuits if they allowed themselves to become a vector for infecting computers, they would be substantially more likely to be vigilant to keep their servers patched against such an exploit. As I understand it, a server that you are visiting would have to be compromised. Then by Flash it would redirect you to a site for spreading malware. Obviously it's not impossible. Having said that, I don't even know with absolute certainty that there are no exploits in the current version either. Or in Firefox. Or in the Linux kernel. Etc., etc.

I guess the question is: at which point does "reasonably" secure cease to be reasonable?

I've got Flashblock configured so right now it blocks everything, everywhere. A Flash animation can only run if I specifically tell it to. Maybe I need to bite the bullet on nspluginwrapper. At least this box has the spare CPU cycles to handle the overhead.

Actually movie upload volume is a factor that could make it harder for site operators to be able to scan files in a timely manner (if they do). Add high traffic volume to that and you would have a window for propagation because understaffed or otherwise lots of sites will rely on user reports marking things as unwanted or dangerous anyway. And I doubt this is stuff for lawsuits anyway. BTW this does not involve a server-side exploit or compromise, the server just facilitates it by hosting the .swf or .pdf.


No, that's too easy. This is about a known vulnerability with known ITW exploits and the fix being provided.


Since you used the word "trustworthy" I tried to make you think about what it exactly is that makes those sites "trustworthy". This is important because it's all too common for people to place trust in something or somebody when there is no reason to trust it or them. Client-side measures should involve fixing the vulnerability by installing the update (or using an equivalent or getting rid of Flash). Using Flash blocker alone is not enough as it can not stop the actual exploit from happening.

I lost faith in Adobe a while back. Just too many vulnerabilities, way too often for my liking.

Been flash free here for a while now. It means there are a few sites I can't use fully (The BBC probably being the most notable), but if that's the price of avoiding this Swiss-cheese of a plugin, then IMO it's worth paying.

I'm in a similar situation, although I didn't give it up entirely. I used to allow Flash, exclusively on the guest account of my Ubuntu box. I was satisfied with that weak level of isolation, at least for a while. Presently, however, I only allow Flash in a virtual machine on which nothing serious ever resides or takes place. So basically, even though my real box doesn't have Flash installed on it any more, I can still get my YouTube fix, and I have a reasonably isolated (subjectively speaking) option available whenever I need to use a Flash site. One thing I'm grateful for is that none of the important sites I depend on require Flash.