We’re going to be pushing out a security update to the Flash player next month that will probably impact a lot of you so we’re trying to make sure you have as much information as possible so that you don’t get a lot of users asking you why your applications no longer work. Emmy and Justin both blogged about it and we’ve got a Flash Player Developer Center article up about the changes and how you can update your applications.
If your SWF uses any of the following (which I’m sure many do), you’ll want to read that Dev center article very carefully:
- Uses sockets or XMLSockets
- Sends custom HTTP headers to a remote domain (or it may impact web service providers that wish to provide access to content on remote domains)
- Does not define a setting for allowScriptAccess for SWF7 and earlier content
- Uses “javascript:†within a networking API
With this release we’re looking to address some of the issues our security team found and listed in the December 2007 Security Bulletin ABSP07-20 for DNS rebinding and cross-domain policy file vulnerabilities, and Security Advisory APSA07-06 for cross-site scripting vulnerabilities in SWFs. We want to continue to make the Flash Player a secure way to deploy content and while I know it’s going to cause a few short term headaches, it’s important in the long run. If you have any questions (or thoughts/suggestions for people) drop me a note or leave a comment below.
[tags]Flash Player, Security, Update[/tags]
TweetRelated posts: