On 20 Feb 2012, at 15:30, Haykel BEN JEMIA wrote: >> Although: I suspect with effort, it is possible for suitably skilled for >> man-in-the-middle attacker to intercept the loader SWF and replace the >> byte-code storing the MD5 values their own and still inject badLibrary. > What about storing the data as an embedded octet-streams instead of strings?
I am not sure that changes very much. If the validation bytes, whether stored as a string, octet or otherwise are a static sequence of bytes, established when the official library is compiled, then I think our notional attackers could match the pattern and substitute their own.
