Comments on: I Survived BLACKHAT and DEFCON (Barely…)

By: blackhat

blackhat — Mon, 15 Oct 2007 02:01:12 +0000

lol ugh, i spilt my coffee during reading this, good post though

By: kuza55

kuza55 — Thu, 09 Aug 2007 03:08:10 +0000

@BK:
Heh, I think any time you mention “Flash” and “Security” in the same paragraph its a bad thing,

But that’s cool, /me looks forward to seeing the info,

By: Nate McFeters (McNasty)

Nate McFeters (McNasty) — Wed, 08 Aug 2007 15:58:10 +0000

I just got back to Houston… Vegas will kill a man, I swear to God. Every year I go there I worry more about not making it back.

By: BK

BK — Wed, 08 Aug 2007 14:26:54 +0000

@kuza55 – GREAT article about crossdomain.xml issues. This was probably one of the first papers I read about crossdomain issues in the flash player. I”m sure loadPolicyFile() is RIPE for all sorts of abuse. Any time you put the words “Security” and “Arbitrary” in the same paragraph (as it is in the Flash Player Security document), its usually a bad thing.

My issue is different, but I would highly recommend that article to anyone looking into the (in)security of the flash player!

By: rcarter

rcarter — Tue, 07 Aug 2007 14:35:30 +0000

it was great to see you man. had a blast on wednesday and thursday night. i’m looking forward to seeing the video of you and nate’s presentation. kick ass at hitb.

By: kuza55

kuza55 — Tue, 07 Aug 2007 11:08:11 +0000

Is the custom crossdomain.xml file issue you demoed by any chance similar to: http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html

If not, I eagerly await seeing the info,