Say What, Flash is More Secure Than HTML5?!

So my favorite script kiddy and copycat, Feross (copied, note the shameless “I discovered” in his Quora post, LoL)
Found a social engineering flaw in the HTML5 fullscreen mode that can be used for phishing attacks. This time it might be even his own finding… what do you know ;)

This flaw is very much similar to the well known and very old picture-in-picture
Picture-in-Picture Phishing Attacks and Operating System Styles
More info..
IMHO the old version is still way more dangers for phishing.

So How Flash is more secure?

What enables this HTML5 fullscreen flaw to exist in his prime is the fact you have full keyboard access. This way an attacker can more easily steal the user’s credentials.
After all fullscreen was existant in Flash for many years now, yet it was never compromised this way. The main reason is that Flash is more secure is that it does not allow full keyboard interaction in fullscreen.

Good thinking Adobe, taking care our security… oh wait… Flash was added with this feature with version 11.3… after all Flash can’t be left behind…
Working demo…

Damn… but still Flash gives you a decent popup confirmation which HTML5 doesn’t

Yeah, I know Chrome give you a popup too, but you don’t have to click on it to get FULL keyboard access.
I constructed this “amazing” demo here (chrome only), as you can see you get the message but the keyboard is fully functional and accessible through javascript.

So still Flash is more secure than HTML5 – in that respect.

It takes us back to what me and other were preaching about, that with great power comes great responsibility.
HTML5 have its own flaws and the more powerful it’ll become it will get even more.

Stay tuned…

I Didn’t Wait for the iPhone 5

I was an happy Android user ever since the Nexus One came out (the One was the first decent Android, btw). Since than I used a few Android phones and never thought I will switch. Android is open, free, power to the people, and all that – but the fact is that the iPhone is still the best phone there is.

Last Android I used a lot is the Samsung Galaxy Nexus, it has an impressive 720 x 1280 pixels, 4.65 inches screen, and overall a very nice spec. But overall it’s a bad phone. I was totaly not impressed by it. It only become good with the Android 4.1 Jelly Bean update (only 1.2% of Androids). Google even use this phone in the Gelly Bean screenshots.

Developing mainly for mobile, I have an iPhone 4S laying around, I knew the iPhone is better but didn’t want to switch yet because I was used to the Android ecosystem, the great Gmail app and the way it sync everything nicely – this is  an area where the iOS is still lacking.

I always postpond it saying – I will switch with the iPhone 5.

But, one day it happened, I stuck my sim into the 4S and never looked back.The small screen got some time to get used to, but after a short while, you realize its qaulity is far superior than anything else.

When I first saw the leaked iPhone case I was a bit shocked – it can’t be only that, it’s exactly the same just a bit longer. If this is for real than Apple might be in trouble. Then I relized, it doesn’t matter if that only what we get, it’s still gonna be the best phone. The iPhone 4S is already the best phone, so any improvement of that is still the best phone.

Yeah, there is the note with the huge screen, and the S3 is impressive, but still these are niche phones.

Apple will not be able to go on forever with improving what they already have, they will have to reinvent the wheel – again. Hopefully that will arrive as well.

I’m still excited about every new Android version and device, but for now I’m on an iPhone.

 

To Fix JavaScript toFixed

The problem with the built in toFixed function in JavaScript, is that it always round the numbers. It’s like calling Math.round()
Call 9.513.toFixed() => 10
Call 9.226.toFixed(2) => 9.23
Why would you want that to auto round. If I wanted to round I would have round.

Not only that, the toFixed is not always rounding as expected.

Anyhow, here is how to do a toFixed accurately:

You can put it in the Number.prototype if you really want to, personally I rather put it in a untils object.

Changed My Blog Tagline

Ever since I opened my blog at March 2006 the tagline I’ve chosen was “Flash And Everything Else”. Even though Adobe Flash wasn’t always the main thing I was doing, it always had a warm spot at my heart and I always kept on updating with everything related to it.

Flash could have lived for another few good years but Adobe decided to kill it prematurely, oh well it still have some few valid uses I guess – have fun. I haven’t touched it for the past 3/4 year.

Like many Flashers the transition to other client side technologies is natural, especially since many of us used it before.

What I do right now is mainly mobile, web, and mobile-web, but using something like “HTML5 And Everything Else” doesn’t sound good. All other similar variations failed as well. I’ve chosen “Tech And Everything Else” so I guess I’ll have to be more general and write about tech in general. I have some things to say – stay tuned.

Lose when you’re better

Microsoft was always used to win with inferior products. Windows was inferior to the Mac OS for many years and yet it dominated the market. Internet Explorer, the infamous browser, was the best browser for a few seconds in history when it triumphed over Netscape when both were at version 4. We still feel the stagnation it created since than being the most inferior browser ever since.

Lately Microsoft started to create better products and yet instead of winning they fail. Silverlight is better than Flash & Flex and yet it lost to it not being able to gain any significant market share (Flash is better than HTML5 but lost to it as well, but that’s a different story).

What worries me a bit now is that the truly impressive Windows 7 mobile won’t be able to gain any significance market share. Not yet saying that it’s better than the iOS (iPhone) and/or Android, but it is an impressive OS that didn’t just copy the concepts of the other two. It’ll be interesting to see what will come out of it.

Phones

Adobe Flash – Brave Fold

In poker, a brave fold would be a case where you have a strong hand and you are already committed to the pot (you’ve already put in some substantial amount of money), even so, you sense that your opponent might have a stronger hand and you fold – losing your strong hand and the pot. Staying in the game would have required you to danger even more money, maybe too much.

Adobe was in similar situation, it has a very strong hand – Adobe Flash, and has already committed a lot of money on this loss leader. But staying in the game would have required them to put even much more money/resources on it. They would have to be fully committed, they would have to be “all-in”, borrowing from poker again. They could have end up winning the hand but if they will lose they can be out of the game completely.

We should have all known that the iOS will never run Flash. It’s almost like Steve Jobs last words were “exterminate the Flash” – similar to the hate Genghis Khan had for the Tatars when he ordered  “the extermination of the Tata Mongols

In retrospect, seems like wasting all that resources on porting Flash for the mobile was good only for Adobe and us in the Flash crowed to be able to give Steve and the other mongers the finger, telling them – see, Flash runs well on the mobile! It was supposed to be obvious that Flash will never rich similar ubiquity on the mobile as on the desktop. Than again, everything is easier in retrospect.

There are many reasons why Flash succeeded where 1,000 other plugins failed. And it’s also amazing how a relatively small corporate like Adobe managed to be in front of much bigger competitors, Microsoft with it’s buckets of money and Sun with it’s Java Java Proxy Proxy, to name only two.

I’m just sick of layman’s that are quoting laymen’s that are quoting a reporter that quotes another reporter that quote “someone who knows” that quote anther one that “really knows” – it’s like that game, what’s is name?! The other day I’ve heard from someone who should have known better that – “lake of multithreading killed Flash” – you’ve probably heard that BS before, yep it’s total BS. Add that to the many other miss-consumptions people make regarding this issue and it piles to a big pile of sh<bip>it. I wonder how many of these laymen’s knows the hassle of cross browser HTML development?!

So, congrats on the brave fold Adobe, with the right hand I solute you. On the other hand I’d say f*ck you big proprietary beast, how dare you stab so many people in the back.

Webcam ClickJacking Revived

Two weeks ago this guy managed to revive my 3 years old Webcam ClickJacking POC and also managed to revive some of the buzz surrounding it.

The revived attack is exactly the same as my 2008 POC it even uses lots of my code. The different is that instead of using the settings manager html page as the source of the iframe it’s now uses the setting manager swf directly. Actually, this was the first thing I’ve tried after Adobe frame bust the settings manager pages. It didn’t work well for my windows browsers so I’ve ditched it. One of the first comment on my Webcam Clickjacking post created the same thing and gave a link to it (it is now links to an AD). So obviously everyone knew it or at least thought about it – everyone except Adobe.

The Flash Player provide great power on the web, it’s still the only practical mean to interact with the user’s webcam and microphone. You know the cliché, with great power comes great responsibility. Adobe needs to be vigilant when it comes to her users security and privacy, and her users are practically everyone.

Obviously that every new version of the Flash Player should go through vigorous security testing. It’s also needs to be done with every new browser and OS version. That’s a huge matrix but it needs to be done. For example, browser change the way they embed plugins which can easily leads to flaws even if the Flash Player stays the same.

Back than Adobe knew about the ClickJacking beforehand coz they were informed by RSnake and Jeremiah Grossman. They didn’t knew specifically about my POC and the way it exploits the settings manager, but anyhow they should have at least frame-bust every related page. It’s insane that in all of these 3 years no one bothered to at least Flash-bust the settings manager SWF and prevent the resurrection of my POC.

BTW, good job Feross Aboukhadijeh, my name is Guy Aharonovsky – whois is easy…

Windows is still too easy to kill

Windows 7 that is, got no reason to believe it’ll change in Windows 8.

Yesterday I accidently/stupidly right-clicked on Computer and than went to –> Mange –> Storage –> Disk Management –> right clicked on my external HD and selected “Mark Partition as Active”. Realizing this is not what I was looking for, I wanted to undo it but couldn’t found where. I than had to go, and left my laptop running. When I went back I saw my computer has crushed, might be cause of WinDirStat was running in the background but that’s irrelevant.
Anyhow, I started my computer and got  this message:

BOOTMGR is missing
Press Ctrl+Alt+Del to restart.

Restarting won’t help obviously. Googleing this issue gives you tons of info that basically tells you the same two things – use the windows installation CD and if you don’t have it, like in many OEM machines, or you left it in the office, you can download this windows recovery CD from this obscure website and that will cost you 10 USD.

I think it’s very bad, to say the least,  that any common user can get himself in such trouble without the ability to easily revert it. Even though I knew it was probably cased by marking the external HD as active I can’t say I wasn’t slightly stressed – no boot record can easily mean HD failure.

This is how to fix it without the windows installation disc and without buying the recovery disc:

1. Go and download Hiren’s boot CD. This handy collection of software’s used to include pirated apps, but I believe that it is now legit (since version 10.1, current is 14.1) and only include freewares and sharewares.

2. (Optional step) boot into tiny-XP to see your HDs and files are intact – hopefully. (I wonder how they include this XP legally?)

3. There are many boot (MBR) fixing tools in Hiren’s boot CD, I’ve used the freeware MBRWizard
The command line I used was MBRWizard \disk=1 \part=1 \inactive. This set my external HD as inactive
It’s easy, once you run MBRWizard you get help on how to use it.

That’s it.

Come’on Microsoft, you ask the user all kind of redundant questions like “do you want to see the files of your C drive”  but then let him completely kill the functionality of his machine without the ability to easily revert it. ??!

Cool feature of HTML5

Not dealing much with HTML lately, I’ve only noticed this new feature now. The thing is that HTML5 let you change the page’s URL path without refreshing the page content. Like in this example from google 20thingsilearned.com – when you flip the book’s pages the url changes for easy bookmarking and SEO, but the content doesn’t flicker. If that not seems like much to you, than you don’t know what you’re talking about.

All that is needed to achieve the magic is this line of code:

window.history.pushState("", "title", "somePath/");

Try it:

    Click to change the page url

Amazing! There is no need for the ugly hash (#) anymore in order to achieve AJAX/Flash deep linking… oh wait… it doesn’t work in IE9 and FireFox 3.x :( (yet)

Thinking “I know all that browsers can do” this one got me wondering. I’m coming to realize that even though I still believe I generally know most of its capabilities, with HTML 5 there probably lots of things that browsers can do which I’m not yet familiar with. I swear I will skim through the spec when I’ll have the time, there must be many interesting security flaws in there… or is it?!.

More info here & here

New Away3D Flash Molehill Video

This is a never seen before example of the upcoming version of Away3D engine taking advantage of the new 3D API of the upcoming Flash Player – code named Molehill.

This example and more, were presented by Lee Brimelow today in the FlashIsrael event and he said he just got these a few hours ago from Away3D devs, so chances are you never seen it before.

There were other impressive examples with even much more polygons and such. I’m sure we’ll get to play with all of it in a few weeks when the labs version of Molehill will be available along with the new Away3D engine – – Great!

It was great to finally be able to meet Lee and all the others. After years of reading Lee’s blogs and seeing him in videos, he seems like a truly funny, smart and nice dude… ah yeah… and tolerant for annoying people with cameras Winking smile — Thanx