flashmagazine.com— Microsoft site (msn.no) serves malware to thousands of users due to a Flash Player bug not checked for by ad network.
Aug 27, 2008View in Crawl 4
I think a wake-up call and call-to-action should be put out too *ALL* responsible web authors who use flash content, in any way on any of their pages.For quite a while now, libraries like SWFObject <a class="user" href="http://code.google.com/p/swfobject/">http://code.google.com/p/swfobject/</a> and CheckPlayer <a class="user" href="http://checkplayer.flensed.com/">http://checkplayer.flensed.com/</a> have exposed Adobe's "ExpressInstall" functionality, which is a drop-dead simple way for users to be prompted to update their Flash Player plugin automatically, unobtrusively, inline in the browser whenever they visit a site with Flash content (even ads!).If web authors would realize the importance of keeping users' systems up to date and secure, and would simply use libraries and features like "ExpressInstall" to update users' plugins as they visit their site, I think there'd be much less chance that hackers and malicious folks will be able to wide-spread take advantage of such vulnerabilities.This call is *especially* true for the big, high traffic sites, who have probably the best possible chance of getting updates out to the public. If Yahoo, MSN, YouTube, Flickr, etc would use the "ExpressInstall" feature on their flash content, and specify the latest secure version (such as "9.0.124"), then millions of users would be updated very quickly, and vulnerabilities like this would die very quickly too!I also think Adobe could do a better job of getting this same call-to-action out, for the general web-dev authoring community. We all have to take responsibility in helping keep the web as safe and secure as it can be for the technologies we use to present content to users.
shadedechoAug 27, 2008
I think a wake-up call and call-to-action should be put out too *ALL* responsible web authors who use flash content, in any way on any of their pages.For quite a while now, libraries like SWFObject <a class="user" href="http://code.google.com/p/swfobject/">http://code.google.com/p/swfobject/</a> and CheckPlayer <a class="user" href="http://checkplayer.flensed.com/">http://checkplayer.flensed.com/</a> have exposed Adobe's "ExpressInstall" functionality, which is a drop-dead simple way for users to be prompted to update their Flash Player plugin automatically, unobtrusively, inline in the browser whenever they visit a site with Flash content (even ads!).If web authors would realize the importance of keeping users' systems up to date and secure, and would simply use libraries and features like "ExpressInstall" to update users' plugins as they visit their site, I think there'd be much less chance that hackers and malicious folks will be able to wide-spread take advantage of such vulnerabilities.This call is *especially* true for the big, high traffic sites, who have probably the best possible chance of getting updates out to the public. If Yahoo, MSN, YouTube, Flickr, etc would use the "ExpressInstall" feature on their flash content, and specify the latest secure version (such as "9.0.124"), then millions of users would be updated very quickly, and vulnerabilities like this would die very quickly too!I also think Adobe could do a better job of getting this same call-to-action out, for the general web-dev authoring community. We all have to take responsibility in helping keep the web as safe and secure as it can be for the technologies we use to present content to users.