Raw sockets, are still restricted by the same cross-domain
restrictions as exist in flash 7 & 8, so sites have to specifically
allow flash clients to connect (opt-in)
Well, obviously, a virus author would allow connections from other
domains, to allow his virus to spread. The cross-domain restrictions protect
the *server* from your flash, not the client.
direct access to sound buffer? how could there be any security
problems with this? flash already can play sounds, so the most direct
access would let you do, is create very strange sounds that maybe you
couldn't compress in mp3? maybe you could write some kind of nerual
virus, that when people hear it, in infects their brain?
No, direct access would let you write *any* kind of binary data to the
sound buffer, and when the sound buffer overflows, that data gets dumped
into a predictable place (in memory or to disk, depending on the OS, etc).
If they can find a way to execute that code they can install a virus on the
client, bypassing both the virus scanner and the firewall. It's old school,
I know, but it is still being used by viruses all the time. Add into the
equation file system access and you've got a whole list of ways to
compromise the client with an innocent-looking Flash x-mas card.
ryanm
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
