[LINK] Re: executable content vs plain data

Craig Sanders cas at taz.net.au
Sun Jan 20 13:36:05 AEDT 2008 

On Sun, Jan 20, 2008 at 12:50:48PM +1100, Rick Welykochy wrote:
> Craig Sanders wrote:
>
>> flash videos are executable programs.   they could do anything.
>
> Flash videos are in the same class as JPEG images: just data.
>
> The Flash plugin to play Flash videos is an executable. If you do not
> trust it, then you can block flash.

no, flash videos are NOT just data.  they are data plus program code
which is executed by the flash plugin.

unless you take special steps to download and view later, you run that
code when you view the video. that code could do anything that the
author wants - hopefully subject to the sandbox environment of the flash
plugin or not if the video author exploits loopholes and bugs in the
flash player.

it's a risk.  and, as is demonstrated by the fact that it is even
possible to download and view flash videos later with your own player
program, it's a completely unnecessary risk.  plain data without
executable code would work just as well.


>> i don't want to run random programs provided by complete strangers
>> on some web site. so, i don't. if they have content that i want to
>> view then i find some way to get at that content without having to run
>> it...and if i can't do that, then i just give up. it's not worth the
>> hassle and it's not worth the risk.
>
> A secure browser *never* downloads and executes programs without the
> user first enabling the download and installation. This is how the
> plug-in installation process works.

1. not true in the case of active x and anything else MS wants to
include by default in IE.

2. in the case of flash and other plugins that do have to be installed
by the user[1], once the user has downloaded and installed the plugin
to view one thing, they're now at risk for EVERY web page they visit
afterwards.

[1] which is not even difficult. visit any page that has such content
embedded and your browser will pester you to install the plugin. and
it will do so every time you visit such a page, until you click on the
button to install it. some people install it just so that they never
have to be annoyed by the request again.

it's been a while since i saw it (since i run FF with noscript and
adblock) but i don't think even firefox has a "no, and don't ask me
again" button for that.


> Can you give me an example of a web site that provides a *program*
> to be run by the browser?

youtube.  flash videos are programs.  they might be 99% video data plus
a program, but they're still a program.  it's the 1% executable content
that is the problem.

and many others, including sites hostings things as simple as PDF files.
e.g. Adobe's acrobat PDF viewer is more than just a postscript viewer
(and postscript is executable code in and of itself).





> Flash video is not a video wrapped up as an executable.

yes, it is.

>>> I do not agree that sites like YouTube and the like are dangerously
>>> risky. All I can conclude is that surfing the web with an insecure
>>
>> i didn't say that youtube was dangerously risky. i said that the habit
>> of running random executable programs from web sites was dangerously
>> risky. youtube is one of several sites that encourage such risky
>> behaviour.
>
> Once again, give me but one example of a site that requests you download
> and execute an executable file. That is, a file that is executable code,
> not content.

you are missing the point entirely. the distinction is being deliberatly
blurred, with code + data being lumped together in one file. that is the
danger i am talking about.

the issue is the same whether that is done for some bogus notion of
"user convenience" or because the publisher wants to exert control
over the end user (such as DRM or something even more malevolent) and
con them into running their unvetted, unknown program.

>> non-techs could just listen to the advice from people who are
>> technically literate.
>
> Experience shows that most people simply do not listen. This alludes
> to the concept of the "Internet Dirver's Licence" which many geeks
> lament.

right, so that's a reason for those of us who do understand the issues
to sit smugly on our arses and not even bother attempting to inform
people?


>> i really don't see any difference.  executable content is executable
>> content.
>
> I see quite a difference between content played via a plug-in and the
> plug-in itself. The former is just data and the latter is an executable.
>
> If you have the Adobe PDF Viewer installed as a plug-in, that is an
> executable you presumably agreed to have installed in your browser.
>
> When you download a PDF and view it in using the plug-in, in my dictionary
> you are downloading data and viewing it with a plug-in. My dictionary
> does not call this downloading executable content, since you cannot "run"
> a PDF file.

of course you can run a PDF file.  PDFs are executable (especially with
the extensions in acrobat over the last several years as adobe futilely
attempted to make itself a substitute for the web), and postscript
itself is a programming language.

what you seem to be missing is that both the plugin (flash or acrobat or
whatever) *AND* the content files are executable.  it's not a simple
matter of an executable plugin playing non-executable data content,
it's an executable plugin providing an execution environment and a
virtual-machine and/or interpreter to run the content program.

this is completely different from an mpeg (or divx or avi or ogg etc)
player simply playing the data in a file.




> I think we are quibbling over definitions. To disambiguate: please tell me
> how to "run" a PDF file or a Flash video on my computer. My definition of
> "run" or "execute" precludes running a PDF. 

what you are saying is that a perl (or python or basic or sh or
javascript etc etc etc) program is not a program because it requires a
separate interpreter to run.






> There is no OS program loader for a PDF and there is no executable
> (binary or bytecode) in the PDF. 

once you have the PDF viewer installed, there is.  have you never heard
of file associations in windows?  install acrobat and you will be able
to simply double-click on a PDF file in order to execute it.  

install the PDF browser plugin, and you get to run PDF + postscript
programs just by visiting a web page.


> Same can be said for a Flash video. 

same for flash as for PDF, except you don't even have to initiate the
execution yourself (e.g. by double clicking), all you have to do is
visit a web page which has a flash program embedded in it....it can even
run without your knowledge if output is supressed or hidden.


> For the latter, one can execute VLC and it will load and play the
> video. But you cannot "run" a video in any sense, just as you cannot
> "run" a JPEG or Word doc. (Although the latter makes me shiver since
> it can contain embedded VB script.)

1. jpegs are just plain data, and thus OK.

2. yes, word/office documents can contain executable code, BUT microsoft
isn't the only culprit. they are not the source of all evil. they are
just one amongst many.


craig

-- 
craig sanders <cas at taz.net.au>

"The Lord is not my shepherd
 As I am not a sheep"
       [Peter Canning]

More information about the Link mailing list