'high' severity OpenSSL and Flash Exploits

Message

mikeb · #61 Post by **mikeb** » Tue 14 Jul 2015, 09:50

Well the forum has a mind of its own.

So basically you considered this as off topic stuff and not really serious though do bear in mind many here will take it seriously.

You are free to post what and where you like...I am free to comment on such posts...at least we have the freedom to do that here.

Of course we agree to disagree...I would hardly have expected otherwise but also bear in mind what you post does reflect on who you are ...nature of the beast.

Indeed I was a little confused as you seem to not be that impressed with the source material either.

Points made I think......

perhaps the thread should slip off into slumberland...

I also bet some sparks would fly if we met up

mike

Bindee · #62 Post by **Bindee** » Tue 14 Jul 2015, 10:42

mikeb wrote:but also bear in mind what you post does reflect on who you are.

Only if someone was silly enough to see online forums like the game Sims and they were deluded by the vernacular of the imaginary voice they create in their own heads when they read text.

Thanks for the heads up but i don't worry about such people.

Jasper · #63 Post by **Jasper** » Tue 14 Jul 2015, 10:47

Flash, mikeb, gcmartin,

Reserved, whilst awaiting permission to comment.

Bindee · #64 Post by **Bindee** » Tue 14 Jul 2015, 10:50

Jasper wrote:Flash, mikeb, gcmartin,

Reserved, whilst awaiting permission to comment.

We can see your comment so you don't need permission from Flash if you have been on global read only forum block?

Bindee · #65 Post by **Bindee** » Tue 14 Jul 2015, 12:13

Mozilla blocks Flash by default on Firefox browser

http://www.bbc.co.uk/news/technology-33520935

Adobe's Flash software is now blocked by default on all versions of the Firefox web browser.

On its support pages, Mozilla said the block would remain until "Adobe releases an updated version to address known critical security issues".

https://support.mozilla.org/en-US/kb/se ... ay-firefox

Well that happened quicker than i expected.

mikeb · #66 Post by **mikeb** » Tue 14 Jul 2015, 15:38

I noticed that change in seamonkey... its very much like flashblock does and reminiscent of the days when the embedding had to be changed to use microsoft after the legal wrangle over object embedding...

Though the family use it on my main machine I disable flash anyway....its quick enough to enable and without it some nice sites give you the mp4 directly and you tube i use the addon for mp4 anyway... all avoids adverts too.

all adness...utter adness

mike

greengeek · #67 Post by **greengeek** » Tue 14 Jul 2015, 20:07

mikeb wrote:Here's a little conspiracy paranoid theory of my own.

Over recent years there appears to be an attempt to make out that Linux and open source projects such as Mozilla are producing software as woefully insecure as the operating systems and browser integrated mess that Microsoft hoisted upon the world with 98/ME/2000 and XP in their attempt to control the internet as well as computer sales.

Since that company are famous for using dirty tricks as part of their sales techniques and have had several sessions in court related to such mal practices perhaps they are taking a more discreet approach via this wave of 'security' journalism.

I've had the same gut feeling. No way to prove it of course, but I feel very insecure with the pressure to hop on the security roundabout and constantly reach out for "the latest SSL" or whatever.

It seems to me that the rate of 'discovery' of bugs is now so accelerated that we 'need' to upgrade faster than we can evaluate the actual security of the patch. I would ask - is there adequate scrutiny between patches? I want to quote from the Slackware security advisories:

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a
valid leaf certificate to act as a CA and "issue" an invalid certificate.

Sounds to me like a bug introduced in recent versions, in an effort to change the way certificates are validated, and offering alternative validation chains if the first ones don't validate (don't trust my description it's all too hazy for me to understand...)

I have never liked the idea of trusting a "trustworthy" certificate authority that sets itself up as being more 'trustworthy' than other authorities that dont have the same level of 'trustworthy' certificates. I don't trust the lot of them...
In the end once you get on this chain train you just have to trust that the driver knows where he is going. The advisory notes I have posted above (thanks for the link semme) convince me that the driver has his head out the window and is blowing raspberries in the breeze,

<end of rant>

8Geee · #68 Post by **8Geee** » Wed 15 Jul 2015, 02:27

I am also under the impression that google chrome also dumped Flash, or was that a head-fake?

ION: I don't really like the OpenSSL train either, but its what puppy uses. How many puppy-users still D/L the mail rather than discard at mail-server? And in the process of so doing use a mail-SERVER... with some shady authentication(s). IMHO just toss all the clients using ~/.packages as a guide. No server program, no exploit to remotely operate it.

mikeb · #69 Post by **mikeb** » Wed 15 Jul 2015, 08:57

And in the process of so doing use a mail-SERVER.

well its not sendmails smtp...its only capable of talking to a remote smtp server which is not quite the same...indeed unusable as a true smtp server..I tried

Plus you are not using outlook express's activex controls which are the ones commonly hijacked.

Otherwise if servers are present they are not running by default and if they are there is or should be a firewall present (I use NFS for example.)
For public use such as game or chat servers or say VNC I always think using non standard ports is a good move...

Flash was adapted to use the pepper api which is more advanced apparently than mozillas NPapi and at this point in the game why mozilla based browsers can no longer use it (flash) It's still the same vector graphics animator underneath...at least that's the basic idea I believe.

As with android, attempts to make flash exclusive to one companies software has big bucks potential (controlling the clients not just the editing/server side)....yet at the same time they promote html5.... either way its corporate games that make little technical sense in the end.

mike

8Geee · #70 Post by **8Geee** » Wed 15 Jul 2015, 13:35

HTML5 simply becomes a top-layer for the script underrneath, like HTML5/JS.

I still advocate tossing unneeded client-sides. IIRC in Slacko 5.7 the iso trims aboout 6Mb tossing the 'major' ones.

mikeb · #71 Post by **mikeb** » Wed 15 Jul 2015, 14:39

Seems a shame especially when there appear to be no known instances of hijacking seamonkey/thunderbird/sylpheed.
Not all software is the same...you cannot compare what we use here to windows default bundled internet software.

mike

Smithy · #72 Post by **Smithy** » Wed 15 Jul 2015, 16:38

Yes, I would have thought the big breaches will be in a different sector than 'lil 'ol Puppy.
http://www.theinquirer.net/inquirer/new ... ntial-data

The cutesy pie named "the cloud" is just some pile of ssd drives (or pata) stuck in a shed with some dozing guard on the door. If the NSA etc regularly get hacked, then what chance does the cloud have? Right, pens and paper down.. Oh, we hardly use those any more.
Literature..dead, music..dead..creativity..dead..art..dying. Ancient architecture, currently being blown up and demolished. Going a bit gc martin with a smattering of the last savior today lol.

s243a · #73 Post by **s243a** » Thu 16 Jul 2015, 03:11

Bindee wrote:Mozilla blocks Flash by default on Firefox browser

http://www.bbc.co.uk/news/technology-33520935

Adobe's Flash software is now blocked by default on all versions of the Firefox web browser.

On its support pages, Mozilla said the block would remain until "Adobe releases an updated version to address known critical security issues".

https://support.mozilla.org/en-US/kb/se ... ay-firefox

Well that happened quicker than i expected.

So are puppy developers going to start using the open source alternatives to flash now?

Bindee · #74 Post by **Bindee** » Thu 16 Jul 2015, 04:49

http://www.theregister.co.uk/2015/02/16 ... nightlies/

Their shumay alternative currently only works on one site at the moment.

s243a · #75 Post by **s243a** » Thu 16 Jul 2015, 05:35

Bindee wrote:http://www.theregister.co.uk/2015/02/16 ... nightlies/

Their shumay alternative currently only works on one site at the moment.

Has anyone tried, "Gnash or Lightspark". I've scene them mentioned in a few places regarding the flash blacklist.

mikeb · #76 Post by **mikeb** » Thu 16 Jul 2015, 08:14

If its the 'blacklist' I saw you can change it in settings/addons... unless its a blocklist item which would be handled differently.

mike

s243a · #77 Post by **s243a** » Thu 16 Jul 2015, 13:59

mikeb wrote:If its the 'blacklist' I saw you can change it in settings/addons... unless its a blocklist item which would be handled differently.

mike

That sounds like asking for trouble to me. Better to activate it only on trusted sites then to open yourself up to such a large security hole. Even only using flash it on trusted sites is problematic given that flash often interacts with many domains.

Adobe hasn't updated the Linux version of flash for quite some time and has no plans to do so. Perhaps, it is time to move beyond the native linux version of flash. We should either use the pepper version or an open source version.

Moat · #78 Post by **Moat** » Thu 16 Jul 2015, 17:08

s243a wrote:Adobe hasn't updated the Linux version of flash for quite some time and has no plans to do so.

Adobe is actively updating/supporting security fixes for the Linux Flash version (11.xx.xxx) until 2017. It's just the later versions (beyond 11.xx.xxx) - with newer features - that they stopped supporting for Linux.

Bob

s243a · #79 Post by **s243a** » Thu 16 Jul 2015, 19:11

Moat wrote:
s243a wrote:Adobe hasn't updated the Linux version of flash for quite some time and has no plans to do so.
Adobe is actively updating/supporting security fixes for the Linux Flash version (11.xx.xxx) until 2017. It's just the later versions (beyond 11.xx.xxx) - with newer features - that they stopped supporting for Linux.

Bob

When was their last security update and was it bundled in with a minor version or did the patch have to be installed seperatly?

Moat · #80 Post by **Moat** » Fri 17 Jul 2015, 06:30

About a week ago -

https://helpx.adobe.com/security/produc ... 15-16.html

The latest Flashplayer .pets for Puppy are available on OscarTalks' thread, here -

http://www.murga-linux.com/puppy/viewtopic.php?t=84267

Or you could try the latest getflash-1.5-6.pet from this post, to simplify keeping Flashplayer up to date -

http://www.murga-linux.com/puppy/viewto ... 869#835869

Flashplayer updates don't install a "patch" to an existing version, per se - it's just a matter of overwriting/replacing the older libflashplayer.so (which can simply be done manually, if preferred, on any Linux system).

Bob

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

'high' severity OpenSSL and Flash Exploits