Developers beware! Upcoming Flash Security Update (April 2008)
Yesterday Adobe announced a Security update on Flash Player 9. So, time to go back to your sources and check. As you might have noticed I wasn't the biggest fan of the tighter security in the FP 9.0.115 update; it broke the RTMP streaming hack, breaking the ability to get bitmapdata's from FLV streams. The word hack indicates the official status of that method, so Adobe wasn't really to blame here. So far for the 115 update...but, as it turns out, that was just half of the story.
The upcoming April 2008 Security Update release will tighten security a bit more, and you need to check if it won't break your running instances...here's what you should beware of...
You use sockets or XMLSockets, regardless of the domain to which you are connecting
What's been changed ? Quote :
"This security update will make the optional socket policy file changes introduced in Flash Player 9,0,115,0 mandatory."
Ok, so everyone who's using sockets....really, really needs to check.
You use addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain or You provide access to content on remote domains as a web service provider.
Ok, that's alot of us too 
Apparently, it currently is possible to send malicious headers to vulnerable domains....I'd say it would be up to the recieving end to fix their security...but ok.
Ok, that's quite a few SWF's that I made in the far past....I'm not sure if I even still have the full code to all of them....might be an issue for some of us, actually. Quote :
"The change in default behavior may impact content that uses fscommand() and/or getURL("javascript:...") ......"
Indicating that the default setting for AllowDomain has changed and that fsCommand and javascript call security is tightened. The new default setting for AllowDomain is "SameDomain".
You use "javascript:" through network APIs to communicate outside a SWF
A nice little quote again :
"If your content is using "javascript:" within the prohibited networking APIs, you will need to rewrite your content. Developers are encouraged to use the ExternalInterface class for JavaScript-to-ActionScript communication."
So, getUrl and navigateToUrl will still be working, but if you where using for instance Loader.load(), you need to rewrite your code. Yes...that's right...rewrite... Now, you should've been using ExternalInterface, but this is hardly encouraging...it's called being forced...no problem for me, but if you actually did this somewhere, clear out some time to rewrite that portion of script.
The update is coming, so make sure you update your code.....I'm pretty sure that John Dowdell, Emmy Huang and Justin Everett-Church are good indicators to listen too when they are telling you to go and check this. I wonder if this is the reason why Emmy Huang is going on a long vacation.... (enjoy your vacation Emmy).
In any case, it's good to see Adobe so concerned with the security risks implied with maintaining the nr1. webbrowser plugin. But, on a side note, with for instance the content security (not being able to load imagery from other domains without the policy files), I'm still not decided on how I feel about that. If it's possible from within other runtime vm's like java and javascript...why not in Flash ?
Also, I'm still hoping Adobe will concider activating the keyboard when in Fullscreen...this would really be great for gaming and advanced RIA interactivity (shortcuts and such).
Also, what will be the version no for this update ? I take it it won't be 115....right ?
No related posts.
3 Comments, Comment or Ping
randygland
I agree with you… please adobe, please let us use keys on fullscreen flash apps!
Mar 18th, 2008
adamryan
anyone figured out a way around the update yet? i hate not being able to snag my SouthParkStudios anymore. =\
Mar 21st, 2009
Reply to “Developers beware! Upcoming Flash Security Update (April 2008)”