Security | Serge Jespers

Home Posts Tagged "security"

Check your SWF for vulnerabilities

Posted by Serge Jespers on Mar 25, 2009 in Flash Player, security | Comments Off

Yesterday, HP’s Web Security Research Group released HP SWFScan, a free security tool that helps developers find security vulnerabilities in applications developed with the Flash Platform.

When HP was developing this application, they tested about 4,000 SWF files and found the following issues to be the most alarming:

16% of SWF applications targeting Flash Player 8 and earlier have XSS vulnerabilities
77% of SWF applications targeting Flash Player 9 and 10 contain developer debugging information and source code file references
35% of all SWF applications violate Adobe’s security best practices

HP’s SWFScan will help you identify these vulnerabilities before your application goes live. SWFScan will analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored.

The Devnet article about this solution has more information and a link to the free download.

Heads up: Prepare for the Flash Player 9 security update

Posted by Serge Jespers on Mar 27, 2008 in Flash | Comments Off

Adobe is preparing a security update for Flash Player 9 that will be released next month (April 2008) to fix previously disclosed (see Security Bulletin ABSP07-20 and Security Advisory APSA07-06) vulnerabilities and to further strengthen the security of the Flash Player.

These are the main things you have to watch out for:

A socket policy file will always be required for all socket connections
Important when you use sockets or XMLSockets, regardless of the domain to which you are connecting
A policy file will be required to send headers across domains
Important when you use addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain or you provide access to content on remote domains as a web service provide. This applies to all methods of loading data including solutions like AMF-PHP (see Wade Arnold’s blog for an example crossdomain policy file for AMF-PHP)
The allowScriptAccess default will always be “sameDomain”
Important when you have SWFs that are exported for Flash Player 7 (SWF7) or earlier that communicate with the hosting HTML by any means
“javascript:” URLs will be prohibited in networking APIs, except getURL(), navigateToURL(), and HTML-enabled text fields
Important when you use “javascript:” through network APIs to communicate outside a SWF

Check out Adobe Devnet for more in-depth information.

Twitter Updates

http://t.co/iYluqfkM I think I'm going to need a raise or two or five before I can afford this one but it looks very cool.3 hours ago
Somehow this reminded me of the Eiffel Tower http://t.co/5uuYAfRt http://t.co/2ekbr2E4 4 days ago
This is probably my best shot of the Golden Gate Bridge to date http://t.co/dmEOVR5m http://t.co/eWWOvOsw 5 days ago
I guess everyone has to do it once. Lombard Street http://t.co/aJK0oR27 http://t.co/U2X3lxf6 6 days ago
I wish "Mission Control" would show the clock…1 week ago

Check your SWF for vulnerabilities

Heads up: Prepare for the Flash Player 9 security update

Flash Platform blogs

Twitter Updates