Slashdot just linked to a Foreground Security article that describes an Adobe Flash attack from any domain that allows file uploads, and browsing of said content.
No patch from Adobe currently exists, and according to them:
"Unfortunately, there is no easy solution. This issue is very difficult to solve without also breaking existing, legitimate content elsewhere on the web."
Don't expect a fix from Adobe anytime soon.
Most frightening is the fact that the majority of Internet users have Adobe Flash installed and enabled -- which means all these users are vulnerable to this attack.
Ironically, the Foreground Security article includes a Flash tutorial video. Phishing anyone?
About the only mitigation factor is to disable Flash:
If you use Opera, press [F12], uncheck "Enable plug-ins" -- until you actually need them.
If you use Firefox, download and install the FlashBlock and NoScript extensions.
Internet Explorer users should explore using Toggle Flash
The ASUSProduct Comparison page seems to contain JavaScript code written specifically for MSIE or FF (untested). In any event, the page does not work correctly in Opera, mostly due to their calls to new ActiveXObject.
Below, I've taken the liberty of correcting their processRequest and add JavaScript functions found in this external load_data.js script.
if (document.domain.match(/(uk\.)?asus\.com$/)) {
window.opera.defineMagicFunction("processRequest",
function(a, b, c) {
if (http_request.readyState != 4) return;
if (http_request.status != 200) return;
var dpl1=document.getElementById("dpl_l1");
var dpl2=document.getElementById("dpl_l2");
var dpl3=document.getElementById("dpl_l3");
var dpl4=document.getElementById("dpl_l4");
var lbl=document.getElementById("lbl_model");
var parser = new DOMParser();
var xmldoc = parser.parseFromString(http_request.responseText,"text/xml");
var dataArray = xmldoc.getElementsByTagName('Table1');
var dataArrayLen = dataArray.length;
for (var i=0; i<dataArrayLen; i++)
{
var get_id=dataArray[i].getElementsByTagName("id_name")[0].text;
var get_value=dataArray[i].getElementsByTagName("id_value")[0].text;
var opt = new Option(get_value, get_id, 0, 0);
if (l1!=0&&list_model==2) //load level 2
{
dpl2.disabled=false;
dpl2.add(opt);
}
else if(l2!=0&&list_model==3) //load level 3
{
dpl3.disabled=false;
dpl3.add(opt);
}
else if(l3!=0&&list_model==4) //load level 4
{
dpl4.disabled=false;
dpl4.add(opt);
}
else if (list_model==5)
{
dpl3.disabled=(dpl3.length==1);
lbl.add(opt);
}
}
}, 0);
window.opera.defineMagicFunction("add",
function(a, b, c) {
var lbl=document.getElementById("lbl_model");
var lbl_select=document.getElementById("lbl_model_select");
for(var i=0;i<lbl.options.length;i++)
{
if (!lbl.options[i].selected) continue;
for(var j=0;j<lbl_select.options.length;j++)
if (lbl.options[i].value==lbl_select.options[j].value)
return;
lbl_select.add(new Option(lbl.options[i].text, lbl.options[i].value));
}
}, 0);
}
For those of you who might use this ASUS product comparison page, enjoy.
Reloading the example page above shows the high CPU is now gone -- and virtually no page functionality has been lost by blocking this external JavaScript.
Ever wish Opera's mouse cursor behaved like Firefox's or MSIE's in web pages? You know, when you hover over text in a web page, the cursor actually changes to a meaningful text caret, rather than remaining a stupid old default NW mouse cursor.
Usability experts say that text carets (vertical mouse cursor) should be used as a visual feedback mechanism when underlying text can be selected. Plus, text carets do not obscure underlying text, like the default NW mouse cursor does. Personally, this is just one Opera pet peeve solved with User JavaScript.
So, with my latest UserJS script (shown below), now you too can have this 'smart' mouse cursor feature in Opera!
Keep in mind, this script is currently non-optimized for extremely large pages, or pages with poorly written HTML markup and/or scripts. Regardless, it does seem to work pretty well on most sites.
If you're a regular reader of this blog, then you realize how much I despise Yahoo! web developers. Their latest trick is to steal ALL keyboard input using a setTimeout event poller, then place the keystrokes into their stupid global search edit box at the top of the page. Nice going losers.
Anyhow, if you use Yahoo! Sports, and use ANY keyboard commands in Opera, then I highly recommend downloading this script.
Mason C reported in the opera.general newsgroup on Jan 30, 2007 that TitanTV.com schedules could not be printed in Opera. After reviewing his claim, I confirmed it and wrote this UserJS script to work-around the problem:
if (document.domain.match(/^(www\.)?titantv\.com$/)) {
document.addEventListener("load",
function(e) {
var inps = document.getElementsByTagName("input");
for (var i = 0, o; o = inps[i]; i++) {
if (o.type != "image") continue;
if (o.getAttribute("alternate") != "Print") continue;
o.onclick = "window.open(document.forms.Form1.__PrintUrl.value,'','');";
break;
}
}, 0);
}
NOTE: Once the script is installed, reload the page, then click the blue [Print] button that appears on the upper-right corner of their TV schedule pages. Clicking [Print] will open a new pop-up window with a printer-friendly version of the page -- so be sure your Opera pop-up blocker is not set to "Block All". And as always with UserJS scripts, be sure JavaScript is enabled, and that you place the .js file in the correct UserJS folder.
For those of you who use TitanTV.com (very nice, btw, compared to TVGuide.com), and prefer to print-out hard-copies of their TV schedules...enjoy.
For whatever reason, Opera disallows calling the DoStop(), DoPlay(), etc methods of the RealPlayer plug-in on nfl.com -- perhaps for security reasons, since the script which injects the
Yes, Yahoo! stinks when it comes to web coding. Simply right-click any of their pages in Opera, select "Validate", and then watch the markup errors pile-up.
Anyhow, this latest script fixes their NFL and NCAA football play by play display in Opera.
I've updated my initial NetFlix UserJS script to version 2.0. This new version includes a fix for their shrinking form buttons. You can view or download the new version from here, or simply copy-and-paste the relevant code fix for the shrinking buttons here:
if (document &&
document.domain &&
document.domain.match(/^(www\.)?netflix\.com$/)) {
document.addEventListener("load",
function(e) {
var inps = document.getElementsByTagName("INPUT");
for (var n = 0, i; i = inps[ n ]; n++) {
if (!i.onmouseover && !i.onmouseout) continue;
var cn = i.className;
if ((cn != "bsub_primary") &&
(cn != "bsub_secondary")) continue;
i.className = "";
i.style.width = "auto";
i.className = cn;
}
}, false);
}
document.addEventListener("load",
function(e) {
if (!document.body) document.body = document.getElementsByTagName("body")[0];
if (!document.body) return;
if (!document.links) return;
for (var i = 0; i < document.links.length; i++) {
var href = document.links[ i ].getAttribute("href");
if (!href) continue;
if (!href.match(/\.pdf$/) &&
!href.match(/\.doc$/) &&
!href.match(/\.xls$/))
continue;
if (!document.blankIframeHandler) {
document.blankIframeHandler = document.createElement("iframe");
with (document.blankIframeHandler) {
setAttribute("src", "about:blank");
setAttribute("id", "blankIframeHandler");
setAttribute("name", "blankIframeHandler");
setAttribute("style", "display:none;visibility:hidden;");
}
document.body.appendChild(document.blankIframeHandler);
}
document.links[ i ].setAttribute("target", "blankIframeHandler");
}
}, false);
This User JavaScript creates a hidden inline frame (iframe element) on the current page, then targets all .pdf, .doc, and .xls links to open inside that hidden inline frame.
This technique seems fairly effective at opening file types with associated programs in Opera, such as .pdf files for Adobe Reader.
![FallenWalnut1[1].jpg](http://files.myopera.com/Lee_Harvey/albums/3090/thumbs/FallenWalnut1%5B1%5D.jpg_thumb.jpg)
![WalnutTree1[1].jpg](http://files.myopera.com/Lee_Harvey/albums/3090/thumbs/WalnutTree1%5B1%5D.jpg_thumb.jpg)
WIDGETIZE