If you are reading this from a browser using Adobe's Flash Player
plug-in (i.e., if you see a blue rectangle below), it will probably
crash within the next few seconds. :-(
[EMBED]
"Regarding crashing, I can tell you that we don't ship Flash with
any known crash bugs, and if there was such a widespread problem
historically Flash could not have achieved its wide use today,"
Lynch wrote. "Addressing crash issues is a top priority in the
engineering team, and currently there are open reports we are
researching in Flash Player 10."
[1]Adobe Defends Flash, Calls Apple Uncooperative
This page exploits a bug that I reported to Adobe in September 2008,
and has affected every release of Flash on every platform since then.
Despite numerous email exchanges with the Flash product manager about
the bug, the bug report being hidden from the public for "security"
reasons, and Adobe CTO Kevin Lynch's claims otherwise, it continues to
be an issue.
* [2]Original Bugtraq posting
* [3]CVE-2008-4546
* [4]Link to Adobe JIRA bug report (not accessible to the public
anymore)
_________________________________________________________________
Email: Matthew Dempsky <[5]matthew@dempsky.org>; Twitter: [6]@mdempsky
And much praise to the Opera team for just not crashing in the first place. I can zoom in the blue square, move around, etc. and the page is still fine after a minute or so leaving it open.
Can anyone enlighten me on this? I noticed the same thing:
* Viewing this page in Firefox 3.6 on Windows caused Flash to crash, taking the browser down with it.
* Viewing it in Chrome on the same machine caused the Flash plugin subprocess to crash, resulting in an error message in Chrome.
* However, no crash occurred in Opera. This despite the fact that 32-bit Opera on Windows does not appear to use isolated subprocesses for running NSAPI plugins.
So what's going on here? Does Opera use some sort of in-process isolation to protect the browser from its plugins? Or is there perhaps some quirk of running in the Opera environment that caused this Flash crash not to be triggered like it was in Firefox and Chrome?
Adobe Flash on Opera/Linux has always been quirky , crashy and all-round unreliable for me in the past. So, I use Opera as my pure-HTML+javascript browser, with ALL plugins, sound, animation, and Java plugins turned off in Global preferences.
Going off-topic [Opera praise]:
These settings instantly turn Opera into the most stable and shockingly scalable 'Research and reference' browser I've used. I only use Firefox3.5.x solely for web-dev, Google Apps, heavy-JS Web 2.0 apps, and Flash-enabled sites of course (with Flashblock as first-line-defence).
Yeah, it also looks like Safari's recent improvements in terms of plugins that they introduced in Snow Leopard have successfully prevented this problem from taking down the whole browser.
You need to have at least Snow Leopard, I believe. Apple recently moved plugins to separate processes, which prevents the entire browser from crashing. Flash will crash, but it won't take down the whole browser.
Except IIRC this wasn't about security or stability; it was because they went 64-bit on everything and needed a way to have the 64-bit apps and 32-bit plugins interact sanely.
It handles it less gracefully than I would have assumed. If you are running flash in multiple Chrome windows, this will corrupt ALL of them, instead of just the one visiting the page linked above. Wasnt one of Chrome's huge selling features the idea of memory independence?
Memory independence + plugin that isn't designed to run multiple processes = plugin that can only run in one process. Imagine if Flash, forced into running twice, tried to read and write from the same cookie / any other kind of data, without any concurrency tools of any kind.
Chrome has to run Flash how Flash wants to be run, because doing otherwise could cause massive problems with any plugin. This is part of why it took so long for them to make Chrome, resolving the memory independence desires with the needs of plugins requires giving some things up. It was either roughly all plugins in existence, or allow the same process to interact with multiple tabs / windows.
This sounds a bit fishy to me. Of course Flash can be run from multiple processes simultaneously since it naturally runs inside of multiple browsers simultaneously, and I assume Chrome has some internal (socket based?) IPC that they're using anyway...
Flash on multiple browsers has completely separate cookie and data stores. Flash on a single browser has a single cookie and data store. Without introducing a complex forking/merging infrastructure for that data (which only Adobe would be able to create anyway) you're stuck with a single process for the plugin for all of the tabs in a single browser.
Part of the difficulty is that this problem applies to all plugins. Flash may be able to handle it just fine, in which case it could just be a poor plugin, but what about any other plugin out there?
Heck, Firefox uses a lock-file in your profile to prevent multiple instances from running. What's to stop a plugin from requiring such a file, writing / reading it frequently, and having no error handling because it's only designed to run singly? Ultimately, you either harden the separations to run multiple instances of it, breaking many in the process and possibly damaging data irrecoverably, or you just let the plugin decide and have backwards compatibility, which is hugely important for a browser.
Interestingly enough the "libflashplugin.so" bar popped up on Gmail for me the last time that all my Flash instances crashed. I never realized that GMail used Flash. (The bar only seemed to pop up on tabs that were using Flash, not all tabs had the warning at the top)
Don't know about HTML5 (I can hope), but it can be accomplished with JS + hidden iframe for uploading. I think it requires querying the server for the progress, but I could be wrong there.
Firefox 3.6 on Ubuntu x64, Flash v10.0.32.18ubuntu1, seems to survive. Chrome survives too, unsurprisingly. Come to think of it, doesn't Firefox have plugin crash safety in place now?
ff 3.5 on a similar setup crashes. 3.6 was when ff made itself less vulnerable to this sort of thing, following webkit's and chrome's ideas on isolating plugins.
Yes, but oddly it seems to circumvent Safari's protective spawning of Flash to a separate process when it does load. When I clicked the browser-crashing Flash app, it actually crashed Safari, and Activity Monitor never picks up the separate Flash process anymore.
Are you sure you're not running Safari in 32-bit mode? The separation is only set up when Safari is running in 64-bit. That setup worked fine for me; clicking the plugin loaded it, and a few seconds later it crashed and turned into the block without crashing Safari.
Yup, crash on mine. WebKit nightly on OSX, everything up-to-date. Thankfully, it just crashes the plugin (though it holds up the browser for a bit), everything keeps working.
Flag it. Linking to a page that links to the crash demo with appropriate disclaimer? cool. Putting a warning in the submission title would have worked, too.
I confirmed the crash on iCab 5.0.7 Mac, Firefox 3.6 Mac, Safari 4.0.4 Mac and Firefox 3.5.7 under Ubuntu 9.10 in Virtual Box 3.1.2. (Using latest updated Snow Leopard)
It's always nice to see bugs are addressed quickly . . . which Is why I'm not really surprised, Adobe products have always had a clunky feel to me and Flash was genuinely a product destined for them.
It's crashing for me with Snow Leopard 10.5.2 on a Core Duo (32 bit obviously) and Safari
Version: 4.0.4 (6531.21.10)
Build Info: WebBrowser-65312110~2
Code Type: X86 (Native)
Parent Process: launchd [157]
You know this whole Flash debacle is a real shame because Flash, at least the concept of Flash, is really a great idea with lots of potential.
Flash allows people to create wonderful things (just visit newgrounds.com) but Adobe's lack of commitment to improving it is dragging it down and could be its unfortunate downfall.
Flash is a terrible concept just like Java Applets were a terrible concept, and its only potential is annoying advertisements, slow splash pages that keep away return visitors, and browser crashes.
Why are Flash's bugs only a problem when when Steve Jobs mentions it? Is Flash really a problem or are we just overcome by Job's reality distortion field?
Flash does stuff that HTML cannot currently do. In this respect hackers should thank Adobe as Flash helped move applications off the desktop and onto the web. When HTML5 has matured, the gaps in HTML will be filled and unless Flash has something new to offer, it will be time for give it a heartfelt goodbye.
Adobe's saving grace is that it released FABridge - you can use Flash for things its good at Ajax for everything else. Then when HTML5 has matured you wont have to rewrite everything.
The issue is that Flash seems to be getting worst. And we see a light at the end of the tunnel (new features being added to browsers to do what we use Flash for).
So the building of frustration with Flash over time, a general dislike of closed systems, and a light at the end of the tunnel has combined into the general "fuck you flash" feelings that seem to have sprang up over the last few months in developers. Which is awesome! As the web needs to outgrow proprietary plugins.
"As the web needs to outgrow proprietary plugins."
I agree. What bothers me is all this "frustration" showing only after Steve Jobs mentions it. I highly doubt his reason for bashing Adobe is due to his love for open web standards --
What I dont get is how hackers can side with Apple against Adobe given the iPhone App store mess... The model of the App store is against everything the open web stands for -- I think hackers should be more upset with Apple than Adobe.
[Updated for technical clarity, rather than refuting bias]
Reading the original article, the issues seems to be with AVM1, the portion of the Flash Player dedicated to legacy Flash (v8 and older). Flash Player was updated in 2006 to include AVM2 and that's been Adobe's focus ever since.
Translation for HTML people: it's like pointing out IE6 bugs that still show up in IE7.
This is nothing more than an out of date flame post.
(Downvoters: have you actually looked at the nature of the bug?)
Adobe's CTO claimed that they don't ship versions of Flash that are known to crash. The bug this triggers is more than a year old and the only versions it does not crash is the most recent _beta_ version of Flash. The post merely points out the deception in Lynch's claims.
By my understanding, there will always be lots of ways to intentionally crash a browser. I know very little about crash-related security vulnerabilities, so I didn't see this threat as relevant.
I think you might be thinking of locking up the browers, rather then crashing it. You can easily create a javascript program that will run a loop that will make your browser non-reactive.
But this is very different the plugin actually crashes. The security issues comes in to play because when the plugin crashes it is doing something it wasn't designed to do. So (in theory) someone malicious could take this crash and make the flash player do something specific it wasn't designed to do like run some code outside of it's sandbox. Which obviously would be a very big deal.
This is different then the lock up/DoS case where a product is doing what it is meant to do, but will just take a very long time (maybe forever) to finish it.
The bug has to do with loading 5+ year old Flash 7/8 swfs.
A better analogy would be he's making a stink about a Carbon bug for obsolete OS 8/9 apps. Carbon still ships with OSX and serves the same purpose as AVM1 in Flash Player: basic (but not perfect) backwards-compatibility for legacy code.
I'm surprised that more priority hasn't been put into fixing it though. A bug that crashes the browser out in the wild for a year and a half? Someone malicious could do some pretty obnoxious things with it.
Incidentally this use case isn't completely unheard of. There is still a lot of AS2 content out there that companies haven't bothered to migrate to AS3 yet (for whatever reason).
If you don't have the resources for fixing old known bugs, then you should remove backwards compatibility, especially since bugs are caused by buffers/stack overflows / segmentation faults ... which could lead to unauthorized code executed on your machine. How else do you think botnets are made?
$ lynx --dump http://flashcrash.dempsky.org/
References