[Laszlo-dev] Adobe - Security Advisories : APSB08-11: Flash Player update available to address security vulnerabilities

[P T Withington]

[Looks like we had better test that OL works in the new player.  In  
particular, looks like data and browser integration could be affected.]

This update introduces a new, more conservative method for Flash  
Player to interpret cross-domain policy files. These changes could  
help prevent privilege escalation attacks against web servers hosting  
Flash content and cross-domain policy files. For more information, see  
the following Adobe Developer Center article. (CVE-2007-6243)

This update adds a new security feature to perform a cross-domain  
policy file check before allowing SWFs to send HTTP headers to another  
domain. This change helps improve web site security by helping to  
defend against malicious HTTP headers sent by content from other  
domains. For more information, see the following TechNote.  
(CVE-2008-1654)

With this update, the allowScriptAccess default, which is used when  
the parameter is not specified, will be updated from "always" to  
"sameDomain" for all SWFs version 7 and earlier. This changes the  
behavior of older SWFs to match the current security model and provide  
greater security by default. In addition, to help prevent script  
execution actions in SWFs that were not intended by the content  
author, APIs that are not specifically designed for browser  
interaction will no longer allow "javascript:" URLs. The getURL() and  
navigateToURL() APIs, which are intended for browser interaction, will  
continue to accept “javascript:” URLs. These changes are meant to  
mitigate issues originally described in Security Advisory APSA07-06.  
(CVE-2007-6637)

Due to the possibility that these security enhancements and changes  
may impact existing Flash content, customers are advised to review  
this March 2008 Adobe Developer Center article to determine if the  
changes will affect their content, and to begin implementing necessary  
changes immediately to help ensure a seamless transition.

Customers for whom the following situations apply should read the  
article in detail:

– Use of sockets or XMLSockets, regardless of the domain to which the  
SWF is connecting.
– Use of addRequestHeader or URLRequest.requestHeaders in any network  
API call when sending or loading data cross-domain OR Provides access  
to content on remote domains as a web service provider.
– Use of SWFs that are exported for Flash Player 7 (SWF7) or below  
that communicate with the hosting HTML by any means.
– Use of “javascript:” through network APIs to communicate outside a  
SWF.

[Adobe - Security Advisories : APSB08-11: Flash Player update  
available to address security vulnerabilities](http://www.adobe.com/support/security/bulletins/apsb08-11.html 
)