From owner-freebsd-emulation@FreeBSD.ORG  Tue Mar 13 03:35:53 2012
Return-Path: <owner-freebsd-emulation@FreeBSD.ORG>
Delivered-To: freebsd-emulation@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C221F106566C
	for <freebsd-emulation@FreeBSD.org>;
	Tue, 13 Mar 2012 03:35:53 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45])
	by mx1.freebsd.org (Postfix) with ESMTP id AB27A8FC15
	for <freebsd-emulation@FreeBSD.org>;
	Tue, 13 Mar 2012 03:35:53 +0000 (UTC)
Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1])
	(authenticated bits=0)
	by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id q2D3Zrxk047694
	for <freebsd-emulation@FreeBSD.org>;
	Mon, 12 Mar 2012 20:35:53 -0700 (PDT) (envelope-from yuri@rawbw.com)
Message-ID: <4F5EC098.3000602@rawbw.com>
Date: Mon, 12 Mar 2012 20:35:52 -0700
From: Yuri <yuri@rawbw.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:10.0.2) Gecko/20120218 Thunderbird/10.0.2
MIME-Version: 1.0
To: freebsd-emulation@FreeBSD.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: flashplugin11 goes around the proxy: is this considered a
 significant security vulnerability?
X-BeenThere: freebsd-emulation@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Development of Emulators of other operating systems
	<freebsd-emulation.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-emulation>, 
	<mailto:freebsd-emulation-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-emulation>
List-Post: <mailto:freebsd-emulation@freebsd.org>
List-Help: <mailto:freebsd-emulation-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-emulation>, 
	<mailto:freebsd-emulation-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2012 03:35:53 -0000

I have set up the proxy server on FreeBSD, set it in chrome browser in 
Ubuntu, and went to the complex flash site playing video.
In the middle of the run when htmls loaded but flash didn't yet start to 
play I killed the proxy.
I expected that flash video will fail. But after a while it still plays 
video from the internet.

Obviously, flash 11.1.102.63 ignores the proxy settings and connects 
directly. Even though ZDNet article 
http://www.zdnet.com/blog/security/adobe-plugs-dangerous-flash-player-security-holes/5104 
claimed that this security vulnerability had been fixed in flash 10 in 
late 2009.

FreeBSD uses very close flash 11 binary (11.1r102.62). So it must suffer 
from the same vulnerability.

Yuri