I find it amazing that browsers do not block Flash from running by default. I've posted the Chrome help page[1] that shows how to block and selectively unblock plugins to my Facebook/Twitter, as I really don't want to return home for the holidays to have lots of repair requests.
I find chrome and ff are much more often dead-crashed by a single line of Javascript than tons of flash. Firefox even re-crashes when you open it again in many cases, without letting you prevent reloading of the offending Javascript.
If Firefox crashes when you restart it, the next time it starts it lets you choose which tabs to re-open. This solves the problem of something repeatedly crashing it.
I think you mean Intevydis, "Step Ahead" is the name of the product.
Immunity makes the framework all these exploit packs plug into and acts as the primary sales channel for them. They do a pretty good job of keeping the undesirables out, but like any other desirable software product copies do have a tendency to grow legs and follow employees home.
No, I meant the product line - you don't get this bug in their "pro" version, only "step ahead" - step ahead of the vendors presumably.
It seems hard to believe that private 0-days are legitimate pentesting apparatus - what are you testing in this case, whether your enterprise runs software that someone might find a bug in in the future?
As far as I understand it canvas/Immunity is firmly in the offensive security market anyway, aren't they actively part of the scene that derides "killing bugs" aka reporting security bugs to software vendors (for any price)?
I'm sure this bug hasn't been reported to Adobe, all they'd be doing is closing their marketing window.
Google has a source license for Flash - they just get the fixes from Adobe before they've passed QA in all of their products. Google doesn't actually develop their own fixes in these cases - they just ship them faster.
I had a surprising number of random players installed too. e.g. Silverlight - requiring a critical update; amongst other plugins that I never even use any more.
flashblock is not good at blocking flash from a security standpoint. with it enabled, visit http://lcamtuf.coredump.cx/html5object/ and you'll probably see at least one flash animation start.
Thanks for the link to that demonstration. Hadn't seen anything bypass flashblock before. Switched to NoScript and confirmed that it actually blocks all of the test cases.
The thing I like about NoScript is that you can set it to block everything, even on trusted sites. You have to click the placeholder to make it load, or if there isn't a placeholder (web fonts, hidden flash embeds) you have to look at the Blocked menu.
This was also the last straw for me. It's just not worth the risk anymore of the extra attack surface it exposes. I've uninstalled flash from all my machines and disabled it in chrome.
[1] http://support.google.com/chrome/bin/answer.py?hl=en-GB&...