Flash is buggy - Where have I heard that before?

Richard Gaskin ambassador at fourthworld.com
Tue Jun 8 15:43:45 CDT 2010


Lynn Fredricks wrote:
> I happen to like Javascript but, wow, you are so right. A lot of the trojans
> out of the wild today take advantage of how insecure browsers are to deliver
> payloads right through your browser. Sometimes your antivirus software will
> catch it, othertimes not.

Reminds me of one of my favorite Raneys posts, on buffer overruns:

<http://www.mail-archive.com/metacard@lists.runrev.com/msg02659.html>

And this one:

<http://www.mail-archive.com/metacard@lists.runrev.com/msg02350.html>

Excerpts:

  ...you should keep in mind that the average cobbled-together
   MetaCard server is going to be safer, at least WRT to
   buffer-overrun security problems (the easiest to exploit
   and most dangerous kind), than virtually any current
   open-source server program.  This is obviously the case
   when compared with the FTP, HTTP, and BIND servers that
   are running on the majority of Internet hosts out there,
   all of which have multiple security holes like this, one
   of the buffer-overrun bugs in BIND (the DNS server) being
   the single most commonly exploited security hole in any
   server software.
   ...
   I certainly wouldn't rule out building or using MetaCard
   server software, even for protocols for which well-known
   (if buggy) open source software is widely available.
   While I don't see any big advantage to writing an FTP
   server in MetaCard, an HTTP server that executes CGI
   scripts is a different matter entirely and an area where
   a MetaCard server could be safer and feature-competitive
   with any of the alternatives.
   ...
   ...the ubiquity of buffer-overrun bugs in open source software
   rises to the level of criminal negligence.  There is just no
   excuse for this kind of sloppy programming, yet not a week
   goes by that yet another example of this kind of thing isn't
   found in one of the commonly used open-source packages.  I
   wouldn't blindly trust Microsoft software either, but at
   least the majority of the security holes in their products were
   put there deliberately to improve the usability of the products
   rather than as the result of poor security hygiene on the
   part of the developer.

   My advice is to not be afraid of this stuff.  Sure, you have
   to be careful, but you can hardly do any worse a job than those
   hacks who are writing the software that runs the Internet ;-)

:)

--
  Richard Gaskin
  Fourth World
  Rev training and consulting: http://www.fourthworld.com
  Webzine for Rev developers: http://www.revjournal.com
  revJournal blog: http://revjournal.com/blog.irv



More information about the use-livecode mailing list