April Flash Player Security Update
Writing about web page http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html
This is just a heads-up for myself really – there’s a Flash Security Update coming in April, and one of the changes might affect any uploading functionality we intend to use because we’ll need a policy file to POST and GET with additional headers:
The April 2008 Flash Player update adds a new security feature to perform a cross-domain policy file check before allowing SWFs to send headers to another domain. This change helps improve web site security by helping to defend against malicious HTTP headers sent by content from other domains. The feature will also help to mitigate a potential UPnP issue (VU#347812) in which routers fail to correctly handle unexpected header values. In order for a SWF to send a header anywhere other than its own host, the origin domain of the SWF must have explicit permission from the host to which the header is being sent, in the form of a policy file. The existing policy file model will apply, with the same file locations and ActionScript APIs, but a new syntax will be required. To specify header-sending rights, use this new tag:
6 comments by 3 or more people[Skip to the latest comment]
I don’t really see the point of this. It’s not like it’s remotely difficult to send arbitrary headers to domains without using Flash
11 Mar 2008, 10:37
Also, will this stop you using content from other domains (such as from static repositories)?
11 Mar 2008, 10:38
Yeah – this is a direct response to some general security-related attacks that occured via Flash adverts a while ago, so I think while it’s possible to send headers by other means Adobe just wants to lock down the Flash Player to avoid further problems:
It will affect getting data from other domains directly, but it looks it’s just a minor change to the existing crossdomain.xml policy files we have in place.
11 Mar 2008, 10:52
Surely this will cause massive problems with things such as MP3 players though, because it’s going to break so many existing applications. Why should I need to put a crossdomain.xml file on some remote server to read a file by GET, when I could just browse to the file and get it anyway? It doesn’t make any sense!
11 Mar 2008, 11:18
I should clarify – I should’ve said ‘POST/GET with additional headers’, because you only require the cross-domain policy if you are trying to append the basic GET or POST request with other header data. I’ve changed the entry so this is clearer. The MP3 example shouldn’t be affected at all unless it’s trying to request stuff via additional headers as well :-)
11 Mar 2008, 12:01
It is easy to attack a machine with arbitrary headers from your computer. But being able to send a massive distributed attack from every computer that simply visit your site is something entirely different.
12 Mar 2008, 11:44
Add a commentYou are not allowed to comment on this entry as it has restricted commenting permissions.