Flash as a browser extension? #71
Comments
|
well it has been a plugin for pretty much ever since it was used in the web so it is already at that point, but browsers are rejecting flash for primarily security reasons. |
|
develop an extension that interprets swf and actionscript compiled does not mean that browsers |
|
https://helpx.adobe.com/security/products/flash-player/apsb17-21.html in June there were 2 Remote code vulnerabilities: and more critical stuff before: and as record of this year, in february we had 5 code execution vulnerabilities: to summarie, each month this year (except august, which just begun at least one code execution hole had to be fixed: I honestly havent heard much about remote code execution holes in browsers lately, but one thing is that usually the javascript based holes are usually failures in the browser implementation, meaning I can just switch to another browser in the meantime. this isnt really possible for flash. and same as with Java or silverlight, these have as far as I get it, significantly more access on the system itself than you average Website without these plugins has, meaning more damage can be done. |
|
"develop an extension that interprets swf and actionscript compiled does not mean that browsers |
|
Ok thanks for the official links of adobe, everyone knows this list I guess. |
|
Oh please, you are being dishonest at the moment. @My1 provided you bugs from an official source backing his claims. If you check the very website you provided (CVE details), Flash is listed with 819 vulnerabilities |
|
I am not against flash being open sourced. I said before that as long as flash is not bot open and audited it's not a good option for relatively new stuff and if it should be used than just for old stuff that already exists. also your nice list of chrome goes back to 2008, I honestly dont want to know how many holes flash had in the timespan of 7 years. also @demurgos you have the wrong list. you list all bugs. we need just code execution, well actually most of flash's issues are code execution: |
|
I think there are some flash extensions in the Chrome web store |
|
There's limitations what browser extensions can do. For example Chrome only accepts web technologies. |
|
Shumway was provided as a browser extension. It registered itself as a plugin handler (see this line). |
|
I think it needs a proper plugin install to run native stuff with extensions, but I'm not sure. |
|
Native messaging could be one thing to use: https://developer.chrome.com/extensions/nativeMessaging |
|
@My1 the thing with security issues in software is that every single one has those. Telling people that only Flash has security issues is misleading at best. It is simple as that: Not only Flash is popular but on top of that when it run inside a browser as a plugin Now, it's been years I read in online magazine, even some so called security experts, etc. That is total bullcrap. Every software got CVE: the Linux kernel got CVE, the Android OS got CVE, all the browsers got CVE, many operating systems got CVE, etc. In fact, anything that is somewhat popular will have CVE. You can find many CVE listed here: Here the top 50 Vendors Here the top 50 Products so that part
that's the bullshit that browser vendors are selling you, while at the same time Now look at the top 50 Products just for the year 2017 hey Flash is only 27 on the list, but yet people are still bringing up that myth |
|
Flash as a browser extension is not possible "as is" And the same browsers decided to remove plugins they can decide to remove extensions For example, Google is not happy with all those "Ads blocker" extensions, |
|
Well i never said that flash is the only thing with security problems. But a browser is pretty much supposed to be a "vm for websites" essentially making sure they dont get access on the system, in contrast flash essentially grants a lot more access to the computer than browsers do or at least did. It's pretty similar to java or silverlight in that aspect and both have been nuked earlier already, while flash is running on a grace period because it's still used too much to just nuke it. Or why do you think browsers are removing flash and the other stuff? Also that OSes are higher on the list is not too weird, after all they are a whole lot more complex and quite literally have to control the whole computer. Also unlike with linux or mac windows gets every version listed, although i think that in this case that is a bit overblown as the issues often pertain to multiple versions at once. Also the acrobat stuff from adobe also is listed multiple times, by crossing duplicates out, flash would get a lot higher. Also the cves are bugs that have been found. Heartbleed for example was quite a while in the code. We don't know how many hidden bugs there are and people are losing interest in flash because it's half dead by now unlike the old times where flash autoplayed and you could do some really bad stuff, this isn't possible. You'd have to find someone gullible enough to actively start flash, even though it's hardly used anymore. Finding holes in the browsers is a lot nicer for the attackers and it gets easier when they are open source, and with open source a whole army of whitehats can help fixing the bugs as well, something not so easy with closed things like flash |
|
My1: Well, WebRTC and javascript can have access to your system already, exactly like flash. https://www.grahamcluley.com/webcam-spying-without-turning-led-researchers-prove-possible/ So if you want to talk about security, let's start from the start, Hardware and Operating System. I never said to convert Flash Player as an extension "as is", the beauty of the binary world |
|
for people who don't know what is PROMIS software, back door technology and so on here is another article http://www.wnd.com/2013/06/nsa-has-total-access-via-microsoft-windows/ My1 "Or why do you think browsers are removing flash and the other stuff?" |
|
I just thought I should point out when comparing vulnerabilities it's important to look at what they actually are Flash: https://www.cvedetails.com/product/6761/Adobe-Flash-Player.html?vendor_id=53 for 2015-2016 there were 478 code execution vulnerabilities Chrome: https://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224 for the same time period there were 10 The other vulnerabilities don't really matter. Getting DOSed? Just don't visit that page again. Getting Code Executed? Your machine is now infected. Chrome never claimed to have less bugs than other software because there will always be bugs. Instead they engineered it so even if there are bugs they are far less likely to be able to own your machine. For example if your compare the CVEs for Safari, Firefox, Edge, and Chrome you'll see they all have about the same number of issues listed per year showing that bugs happen and at a similar rate for similar software. But, if you check what those issues actually are you'll see Chrome usually has 10x to 50x less Code Execution bugs (bugs that lead to your machine getting owned) |
|
@greggman Precisely what you said (not to forget I did mention it already). Code Execution is the worst of all you can get and when 80% of ALL flash bugs are CE we have a problem, while chrome only comes with 5,8%. which is a far better ratio. |
|
A good solution would be to load Flash with a JS script inside the webpage. It would be automatically sandboxed by the browser (but would have some restriction with cross-domain storage). Are the code execution vulnerabilities still present for new JS-based extensions ? It may be a way forward. |
I don't know if this can be possible but another idea.
as an extension would maybe be a first step....
The text was updated successfully, but these errors were encountered: