Tuesday, July 8, 2014

It's time to stop using Flash on Power Macs. Period.

There are already a large number of reasons not to use Java on Power Macs, not the least of which being Flashback, which exploited a hole in the Java VM sandbox to run a native binary and thus gain control of the Mac. If the binary had been compiled universal, then the exploit would have worked on Power Macs, too.

Well, Flash just got that sort of exploit, but it's worse, because this attack will work successfully against Power Macs too. "Rosetta Flash" (how appropriate!) can steal credentials and cookies by generating valid, malicious SWFs through JSONP that abuse Flash's ability to bypass the same-origin policy that would normally protect against such an attack.

There are ways that a service can protect itself from Rosetta Flash, but that's where it gets even worse for Power Mac users: the recommended server-side change to retard the attack won't work on Flash 10.1. Yes, you heard right. Even if the server implements the recommended server-side protection, Flash 10.1 will still download and execute the malicious SWF. And that's critical, because there is no Flash 10.2 or above for Power Macs, just various hacks that change the version number.

This exploit is fully weaponized, as they say in the biz. It's ready for any attacker to use. So Flash is dead: it is no longer safe for use on Power Macs, TenFourFox won't run it anyway, and if you are still using TenFourFox 17 to run Flash applets, I warned you this day would come.

So far all indications are that beta 3 is substantially faster than beta 2. I will make one last tweak to the garbage collector timeslice before release for a little better long term throughput. The only remaining bug is issue 280, which is a crash with the G5 using 7450 branching; I'm just going to revert to G5 branching as was originally in 24/26/29. I'm now starting to think that the performance delta might be a benchmark artifact anyway, and it's not worth the trouble to debug prior before release. Meanwhile, 31 will come out on schedule simultaneously with 24.7.0 to conclude ESR24. Another year of support ahead!

3 comments:

  1. Condemning Flash is probably correct but bewildering. In the YouTube world Flash is needed for .FLA file playback. So one of the largest repositories of video media is still requiring Flash to reside on PC and Mac computers. Am I right about this?

    ReplyDelete
    Replies
    1. For those specific videos that are still .fla only, I imagine so, but that number has got to be rapidly shrinking in lieu of H.264 video.

      If you used the Flash mode in MacTubes, that would be safer than using in the browser, at least, though I use QuickTime mode personally.

      Delete
  2. @kp...buy a cheap late 2000's PC laptop, something like a Dell D620 core duo. Currently going for 40-120 on ebay. Download and install Linux Mint 13 Cinnamon ( will be supported until April of 2017). Right click on the menu bar and put it up top where it belongs. Install OS X Cinnemon theme from software center. Install and launch Docky. Grab Tiger, Leopard Mavericks, or Yosemite wallpapers from Google images, right click on desktop and change wallpaper. Install Chromium 30 something with Pepper Flash from webupd8.org's PPA.

    Use above anytime you absolutely, positively, undeniably need Flash. User PowerPC mac for everything else. "Problem" solved.

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.