This is the way the world (wide web) ends...

re: This is the way the world (wide web) ends...

Adrian — Wed, 16 Apr 2008 23:59:42 GMT

Who browses with Flash enabled? Isn't that just for advertisements, junky amateur videos, and crappy games?

re: This is the way the world (wide web) ends...

Gideon — Thu, 17 Apr 2008 00:35:06 GMT

I didn't realize Thomas Ptacek was still around. His paper on vulnerabilities in intrusion detection systems back in the 90's was fantastic.

re: This is the way the world (wide web) ends...

Oh Shi- — Thu, 17 Apr 2008 00:49:40 GMT

Goodbye internet... looks like flash is going to /0 us all

re: This is the way the world (wide web) ends...

Miral — Thu, 17 Apr 2008 04:32:26 GMT

Yeah, this is why the FlashBlock extension should be mandatory :)

(Still, it's not going to stop those people who "just want to see the dancing bunnies, dammit!")

re: This is the way the world (wide web) ends...

Magi — Thu, 17 Apr 2008 04:41:26 GMT

Uh flash is used for quite a bit more than that :|

"Flash vulnerability" story

JD on EP — Thu, 17 Apr 2008 07:09:04 GMT

"Flash vulnerability" story: I'm bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted. The Mark Dowd paper describes an issue which was addressed

re: This is the way the world (wide web) ends...

LarryOsterman — Thu, 17 Apr 2008 08:17:49 GMT

JD, I've added your link (and the warning that comes with the security update) to the article.

re: This is the way the world (wide web) ends...

Dean Harding — Thu, 17 Apr 2008 09:22:54 GMT

Personally, I think the thing that is interesting here is not whether or not the vulnerability itself is already patched or not (nice going with the quick turnaround, though!). The thing that's interesting is the _amount of work_ that people are willing to put into discovering the vulnerability in the first place!

Larry: I found that if you have both IE and Firefox with flash installed, you've got to download the update TWICE -- once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I'm concerned, Flash is Flash; whether it's running in IE or Firefox...

re: This is the way the world (wide web) ends...

Nathan_works — Thu, 17 Apr 2008 17:16:06 GMT

Larry, please, at least put "0wn" in quotes. Can't stand that word. Speaks of low men.

re: This is the way the world (wide web) ends...

John — Thu, 17 Apr 2008 17:45:01 GMT

Nathan: Seriously. He should have at least gone with "pwnz0r".

re: This is the way the world (wide web) ends...

Yuhong Bao — Fri, 18 Apr 2008 03:21:33 GMT

"I found that if you have both IE and Firefox with flash installed, you've got to download the update TWICE -- once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I'm concerned, Flash is Flash; whether it's running in IE or Firefox..."

I found out that as well, and it is because Firefox and IE uses different Flash plug-ins

re: This is the way the world (wide web) ends...

Igor Levicki — Sat, 19 Apr 2008 03:22:19 GMT

Great, now I am just waiting for you to say "Everyone should use SilverLight instead of Flash".

re: This is the way the world (wide web) ends...

Altivo Overo — Sat, 19 Apr 2008 04:51:07 GMT

Heh. Not the end of the internet, but maybe it would be the end of flash? Bandwidth wasting garbage collector that it is? I suppose that would be asking too much, wouldn't it?

I yanked the flash plugin out of Firefox a long time ago. It just eats time and cycles in order to put garbage on the screen that I don't need or want. Anyone who makes the functionality of their website dependent upon Flash obviously doesn't want my attention.

re: This is the way the world (wide web) ends...

Markus III — Sat, 19 Apr 2008 21:10:26 GMT

I haven't had any version of flash installed on my pcs in over eight years so this is a non-issue for me. Once a month, maybe, I come across a site that won't let me do a thing without flash and makes me sigh because I was marginally interested. Oops, their bad, because I just go elsewhere for whatever I was looking to purchase or view or I do without.

FYI - If you're too lazy, too "artsy", or too dumb to make your site or your client's work sans flash then you/they lose my (considerable) business... and NO, nothing anyone offers is unique or valuable enough that it can't be done without or found elsewhere so the loss is yours rather than mine.

re: This is the way the world (wide web) ends...

Igor Levicki — Mon, 21 Apr 2008 02:56:50 GMT

@Markus III:

Take a look at www.tombraider.com... oops, you can't, you don't have Flash installed :p

Seriously, we don't need ANOTHER Flash clone because that means people will have to have both of them installed thus doubling the security risk.

Not to mention they will have to chase two sets of updates.

I wonder how someone so focused on security as Microsoft could have missed that?

re: This is the way the world (wide web) ends...

NathanM — Mon, 21 Apr 2008 20:33:55 GMT

How about a modest proposal of sorts: (1) robust error handling of out-of-memory conditions continues to be a problem -- it requires all allocations to be handled correctly. (2) These NULL pointer derefs can now be weaponized.

Therefore: (solution) - make all all memory allocations that return NULL call abort() [or the language's closest equivalent], to protect the app and the user from themselves. Frankly, I'd rather have OS-level support for this kind of behavior.

re: This is the way the world (wide web) ends...

reader — Mon, 21 Apr 2008 22:58:26 GMT

@NathanM:

So you're saying the OS should crash any apps that doesn't have enough memory for one single operation? That seems pretty drastic. Surely the app writer would rather have a chance to simply display an error message to the user rather than dying an unholy death and taking the user's work down with the app.

Besides, if you're using C++ allocators (ie. new operator), the default behavior is to throw an exception rather than returning a null pointer, so in a sense what you're proposing is already built into the language. It's too late to go back in time and change how C behaves with respect to malloc().

==============

On another note, it's technically inaccurate to characterize this exploit as a "a null pointer dereference". If you read the article you'll see that what's being dereferenced is not a null pointer, but rather (null pointer + some offset controllable by the attacker).

re: This is the way the world (wide web) ends...

Igor Levicki — Tue, 22 Apr 2008 02:30:56 GMT

@NathanM:

I hope you never get a job as a software developer or if you already have one I hope you lose it soon if you don't start using that brain of yours. Such ignorant thinking deserves at least some sort of punishment.

malloc()'s job is to allocate memory, not to terminate applications. It is on developer to decide how they are going to handle the error and NULL pointer can be handled just fine in most situations.

What if you have 6 unsaved Word documents and malloc() aborts because there is no room for 7th document you wanted to create? If it aborts all documents are gone. If it returns NULL Word can just say "no memory for another document" and you get the chance to save. Which one would you prefer as a user?

re: This is the way the world (wide web) ends...

MrBrian — Tue, 22 Apr 2008 06:19:42 GMT

For a much simpler example of this class of exploit, see http://taossa.com/index.php/2007/04/15/bored-games/

re: This is the way the world (wide web) ends...

Not one of Igor's employees — Tue, 22 Apr 2008 07:20:48 GMT

I'd be calling the unfair dismissal lawyers if I were fired for having a bad idea. There surely would not be much in the way of innovation at any company that _punishes_ people for having bad ideas.

re: This is the way the world (wide web) ends...

Rob — Tue, 22 Apr 2008 15:02:25 GMT

Igor - Whilst I agree with what you're saying, I utterly disagree with the *way* in which you said it. "Such ignorant thinking deserves at least some sort of punishment." is just, plain, rude. Manners, please! :-)

Larry - "weaponize", is that commonly used in the security field? Either way, I absolutely love it! I suspect my colleagues are going to be driven to utter distraction by the amount I'm going to use it. So much so that any throwable objects on their desks may all of a sudden become weaponized! ;)

re: This is the way the world (wide web) ends...

Torn — Tue, 22 Apr 2008 20:08:30 GMT

Igor - WTF. No wonder no one likes you.

re: This is the way the world (wide web) ends...

jeff.s — Tue, 22 Apr 2008 22:50:29 GMT

NathanM used the phrase "a modest proposal" - I think there's a chance he isn't even in the neighborhood of being serious.

re: This is the way the world (wide web) ends...

Igor Levicki — Wed, 23 Apr 2008 15:51:11 GMT

@Not one of Igor's employees:

I never said he should be punished for just having bad ideas. We all have a bad idea every now and then.

He should be punished for advocating bad idea as a _solution_ especially if he attempts to implement it.

Actually, I got pissed off because of this:

"to protect the app and the user from themselves."

I fiind it insulting that someone wants to protect me from myself because I am not a retard, thank you.

I see a pattern (especially in the USA) where people are asking for protection from all sorts of things just because they refuse to think and be responsible and I don't like it at all.

@Rob:

I really do not understand why are you asking me to be polite? Why not ask NathanM not to insult my intelligence with his stupid ideas?

@jeff.s:

Not only he used a word "solution" -- he misunderstood the exploit because NULL pointer deref cannot be "weaponized" by itself, you need attacker controlled offset.

He also demonstrated that he doesn't grasp basic concepts of software by asking for "OS level support" for crashing an application in low memory situation.

If it was funny I would be the first one to laugh, but it isn't even close to a joke. If it was a joke, then it is a rather tasteless one.

Finally, how far will you people go in defending the rights of Individuals to have their say? Is that some finer aspect of democracy I am failing to grasp or what? This planet is in a serious danger of being ruled (and ruined!) by Individuals if we don't say "no" to them soon.

re: This is the way the world (wide web) ends...

J.Swift — Wed, 23 Apr 2008 22:51:12 GMT

Igor - you're probably not familiar w/ English literature. Go look at http://en.wikipedia.org/wiki/A_Modest_Proposal for where that phrase comes from. Read the whole thing. The whole point is to be a tasteless joke.

Black hats have a new possible weapon at their disposal. It's not that hard to scan code for calls to malloc/new, and check what it does. Like strcpy, the code needs to be 100% correct in every call to it to be safe. One missed check, and it's "0wnable." How do you ensure that 100% of all code on your box is safe? Or do you just run pure 64-bit code that won't fail malloc anytime soon?

re: This is the way the world (wide web) ends...

Marc K — Sun, 27 Apr 2008 17:05:26 GMT

FlashBlock Firefox extension FTW!

re: This is the way the world (wide web) ends...

Igor Levicki — Sun, 08 Jun 2008 20:14:48 GMT

@J.Swift:

I am not familiar with English literature and I don't have to be. I am sure you are not familiar with Serbian literature, but I am not bringing it up as an argument against you or your reasoning.

The Internet is a global place. Here are some basic rules of writing:

- Do not use idiomatic or colloquial expressions — many idiomatic expressions have no counterpart in other languages, or their use is inappropriate for the audience.

- Be extremely cautious using humor. What is funny in one culture might be offensive in another. For example, "Ciao", which means "hello" in Italian, means "drop dead" in Telagu.

- Use examples and scenarios that are as culturally “generic” as possible. For example, avoid scenarios that involve luxury consumer goods. Do not present a scenario involving gourmet dog food or one that assumes the reader is familiar with how a VCR works.

- Do not eliminate “understood” words, including "by", "that", and "it". Do not omit verbs and auxiliary verbs. Without these words, many phrases can be interpreted in more than one way.

Those are just a few of the guidelines you can find in literature on the subject of writing for the global audience.

NathanM didn't include universally acceptable joke simbol (a.k.a. smiley) so what he wrote most certainly wasn't a joke, much less such sofisticated one as you imply.