BIT-101 Blog

There are currently 42 responses to “Flash Player 10 Security – breaking the web”

1. 1 On August 17th, 2008, Lee Brimelow said:

   Thanks for calling this out Keith. We’ll look into the issue.

   Lee Brimelow
   Adobe

2. 2 On August 18th, 2008, Erki Esken said:

   Good thing you called this out Keith. I use the YUI Uploader component in a CMS app and it relies on JS-to-Flash messaging to start selecting files, so that would break with FP10 as well. Adobe, please fix this before FP10 gold.

3. 3 On August 18th, 2008, Apukeittiö.fi » Blog Archive » Flash Player 10:n turvallisuusominaisuudet said:

   [...] bugit, ihan miten vaan. Keith Peters kirjoittaa blogissaan havainnostaan, että tuleva Flash Player päivitys saattaa rikkoa useita sivustoja (esim. Flickr) ja ohjelmistoja [...]

4. 4 On August 18th, 2008, Mike Welsh said:

   These overzealous security restrictions are infuriating. I’ve run into a similar problem — similarly, activating full-screen can only be done by user input in Flash. We wanted to implement a JavaScript full-screen button in HTML, but can’t for the same reason. Not to mention the fact that keyboard input is disallowed in fullscreen mode (why??)! I can totally understand the concern in not wanting to confuse a user or let someone make a “BSOD” Flash or something, but limiting usability can be counterproductive.

   Here’s another one: Security problems with computeSpectrum.
   https://bugs.adobe.com/jira/browse/FP-147
   It seems like the new audio features in Flash 10 will fix this one, though

5. 5 On August 18th, 2008, kp said:

   Thanks for acknowledging this, Lee. I fully expect to be tied to a chair and beaten when I visit the Adobe offices tomorrow.

6. 6 On August 18th, 2008, The Flash Blog » Flash Player 10 FileReference Changes said:

   [...] this post I hope to address some of the concerns raised by Keith Peters in his recent blog post. In the post Keith brings up some existing applications that will be broken because of the new [...]

7. 7 On August 19th, 2008, WordpressやFlickrのファイルアップロードがFlash Player 10で機能しない理由 : blog Boreal Kiss said:

   [...] Flash Player 10 Beta breaking WordPress, Flickr, other uploaders | BIT-101 Blog [...]

8. 8 On September 26th, 2008, Marc Grabanski said:

   I’ve been watching the discussions about this Flash 10 security change and don’t understand why Adobe is making this change – it breaks so many uploaders. Why are they doing this?

   BTW – How did your visit to Adobe go?

9. 9 On October 15th, 2008, Uwe » Baustelle Wordpress, Adobe Flash Player 10 und der Uploader wollen nicht miteinander said:

   [...] Die Info ist immerhin etwas frischer als 4 Monate aber die Aussagen sind auch nicht wirklich erleichternd. Das wird eine große, böse Welle an Aufschreien nach sich ziehen, aber vermutlich kann man es sich leisten, wenn man Adobe – Alternativen unbekannt oder nicht einsatzfähig – ist… [...]

10. 10 On October 15th, 2008, Phillip Morelock said:

    This release has also broken JibJab’s “Starring You” movie creation tool due to file upload problems.

11. 11 On October 16th, 2008, Jorge Rubiano said:

    In many applications I use the library SWFUpload, recently did the updated Flash Player to version 10.

    I am very concerned, I have read of possible solutions, such as a flash of film hidden (Lee Brimelow), but this solution does not find it effective for applications that have been made.

    I understand that this solves a problem of security, but also incurs a problem for people utlizamos bookstores such as the SWFUpload

    It is also worrying that as incovenientes to resolve this, stop future applications

    We appreciate the cooperation we can give

12. 12 On October 16th, 2008, Nicolas said:

    For the record, I already notified the Adobe team about the issue a few weeks ago. I was answered that it was a “security feature” (meaning : not negotiable) and that they will look at fixing that in “future release”.

    I’m also quite pissed off about the issue, especially since there is no workaround.

13. 13 On October 17th, 2008, Klabusterbärchen said:

    this kind of fu*k is a waste of time.

    not that I even spend much time uninstalling and installing 10 again and again,
    now that i found out its a bug, i can search the bloody adobe page for downgrading
    to 9 which – after 13 minutes of search – i still dont find .. except this here.

    thanks.

14. 14 On October 17th, 2008, Danny said:

    The URLLoader API is also affected by this broken incompatibility. How come these incompatibilities were not communicated clearly to developers?
    Why are no workarounds announced at Adobe Developer site?

    I fully understand why Google and Apple do not choose Flash as their strategic platform. We are seriously consider not to use flash again in our platform. We really don’t know what will be changed in the future by Adobe that will screw all of our applications.

    Leason learned: Not to put all your egg in one basket, especially a basket that you can not really trust.

15. 15 On October 18th, 2008, Adobe “сломал” интернет « Yura Zemskov’s Weblog said:

    [...] Adobe “сломал” интернет Adobe выпустил Flash Player 10 и, накрутив в настройках безопасности, сознательно и легко сломал дохрена сайтов, использующих flash-upload скрипты, в том числе и мой russotravel.ru. Ну это еще ничего, вот фликру и вконтакте наверное обиднее Ax да сломалось n-ое безмерное количество блогов на wordpress, в плагине галерей которых также самым удобным способом загрузки был flash. Заносим Adobe в список уродов и думаем, как решить проблему. <!– lj-cut>Кратко суть такова, что окно выбора файлов для загрузки теперь нельзя инициировать через JS и т.п., только по действию пользователя – клику на флеш-компоненте.<!==–>Кому интересны подробности:* (ru) * (en) http://www.adobe.com/devnet…* (en) http://theflashblog.com/?p=423* (en) http://bit-101.com/blog/?p=1382 [...]

16. 16 On October 21st, 2008, Coker said:

    Hey Keith,
    Thanks a lot. Am sure adobe won’t do anything about this and for now, the thing is downgrade to Flash player 9! Had quite some issues when clients started writing they cant download from our download pad, only to find it a Flash 10 “Bug”, told them to downgrade to 9 anyway for now.

    Thanks for raising this.

17. 17 On October 21st, 2008, kp said:

    Just advising clients to downgrade is not a realistic option. It’s fine if your client is one company – they are the only one using the app. But what about Wordpress or Flickr. They have millions of users. Sure you can tell them all to go to Flash 9, but with auto update and most of them not really understanding or caring about Flash Player versions, most are just going to see a broken uploader and blame Wordpress or Flickr.

    Since Adobe is NOT going to “fix” this – as they don’t see it as broken, but a security feature – it is up to Wordpress, Flickr, etc. to make uploaders that will work with Flash 10. You can bitch about it and complain and start public activism movements, but the reality is Adobe probably isn’t going to change it and if your uploader is broken by it, your clients are going to blame you.

    Personally, I don’t see what the problem is with just exposing a flash-based button. You’re already embedding flash on the page and using it. Why is it so important that the button be an html button? The only problem is using html and javascript on the page to call a hidden flash upload script. If you expose a flash button and have its click start the upload, the upload works just fine.

18. 18 On October 21st, 2008, Lexskywalker.it - Way to Valinor » Blog Archive » Flash player 10 said:

    [...] Flash Player 10 Security – breaking the webFile upload not workingFlash Player 10 Beta breaks file uploadLa soluzione di WordpressL’articolo del bug su flashBlog Categoria: Dalla teoria alla pratica top [...]

19. 19 On October 24th, 2008, Using AS3 to Upload and Encode Images - Substance Labs said:

    [...] and source files to work in IE6 (turned out to be a pathing issue), as well as Flash Player 10. FP10 disallows opening the download dialog without user interaction, so I’ve added in a “download” button to accommodate for the change. [...]

20. 20 On October 26th, 2008, hellotaru said:

    There is another major problem other than the security issue.

    I have a AS2 swf embeded within a AS3 swf, which works perfectly under FP9, but it doesn’t works on the release version of FP10.

    I can downgrade my own computer back to FP9, which I did, but unfortunately, I have no control over other people who view my site, most of whom are not tech people, they don’t know and don’t care what FP their browsers are equipped with, and they will only think it’s bad programming on my part. Thanks a lot, Adobe.

21. 21 On October 27th, 2008, Increo on Ideas » The Flash 10 Upload Debacle said:

    [...] will not dig too deeply into the pros and cons because they have been discussed at length. What matters is how to solve the problem that has dramatically affected not only [...]

22. 22 On October 28th, 2008, Otto said:

    It seems likely that because of this, WordPress will be dropping the support for Flash uploads and switching to something more stable. Talk has been about using Gears to do “nice” file uploading instead, as it’s relatively stable and does indeed support this sort of thing.

    Flash 10 is clearly not suitable for production usage if they’re going to intentionally break functionality everywhere.

23. 23 On October 28th, 2008, kp said:

    otto, Adobe is not “intentionally break[ing] functionality everywhere”. and flash is more than suitable for production usage, as demonstrated by the millions of in-production SWFs out there. Let’s not get carried away.

    I was one of the first ones to call this out, so I’m not defending them, but I do understand the decision from a security viewpoint, after Lee described it. And as Lee pointed out, this is no different than the exact same restrictions that html has. You can’t initiate a file dialog without mouse interaction.

    What does piss me off is the way Adobe handled this. They just released it with no notice of such a major change. It broke several major sites and applications and there was little or no reachout to those sites to help them solve the problem. Until I wrote this post, the only Adobe response was in the bug tracking system where some engineer wrote a comment to the effect of “well Wordpress is going to have to do it a different way”. Lee was the first one at Adobe to publicly address the issue. I’m not sure how much reach out was done to Wordpress or Flickr.

    Also, note that SWFUpload has been updated to work with this issue. This is what Wordpress uses, and I think Flickr might use it to. So they can now upgrade to the new version of SWFUpload if they want to keep using the Flash solution. Or they can switch to gears or whatever else if they want to go that route. I just hope they do *something* soon and stop whining about Adobe.

24. 24 On November 3rd, 2008, Audrey Berger said:

    Not being a technical person, but one who posts to a WordPress blog daily, I couldn’t understand why when I went to upload photo’s, which are essential to my blog, I could not do it today. Finally I went on some forums and one of the moderator’s said, “you recently downloaded adobe flash player 10 didn’t you?” And the answer was yes, just yesterday.
    So now 9 hours and no posts later I am still trying to solve the problem and am very upset and frustrated!!!
    I need to have it spelled out to a novice who uses a MAC OS10 Powerbook,what do I do to correct this problem? How do I downgrade to Flash 9? Do I need to uninstall and then reinstall? Will this fix it?
    Please help. I am at my wits end, have lost one entire day, and need to post tomorrow AM. Also I have to say this is going to make me quite leery of just pressing the “install” button next time. I never dreamed I would be hurt like this.
    Thank you,
    Audrey
    http://www.cracksinsidewalks.com

25. 25 On November 4th, 2008, jonnymac blog » How to Fix the WordPress Upload Issue with Flash Player 10 said:

    [...] have seen a lot of people complaining about this (and Adobe has responded really well and explained their solid reasoning), [...]

26. 26 On November 5th, 2008, Magento Bild Upload funktioniert nicht | ausgebloggt.de said:

    [...] Problem war. Etwas Googeln lies dann allerdings auf ein größeres Problem schließen. Der Uploader scheint auch in Wordpress so seine Probleme zu machen. Richtig konkret wird es dann in diesem Beitrag. Letztlich machten dann dieser Beitrag und [...]

27. 27 On November 5th, 2008, Eternal said:

    Also would note that Programming Functionality For Newer Games Being Developed, Are Causing Errors in Flash 9 & 10. Constant Lagging on New And Old Computers.

    I’m using Self Built 850mhz Intel With PCI Nvidia G Force 5500 with 528mb of Ram. Using Linux ver.8.04 Kubuntu. High Speed cable. Very Stable And Fast For What I Need It For.

    Thanks For Listening.

28. 28 On November 8th, 2008, datenschmutz.net said:

    WordPress: Flash-Upload funktioniert nicht (mehr)…

    Mit der neuen Flash-Version 10 versagt der Flash-Upload seinen Dienst. Davon ist unter anderem auch WordPress betroffen. Einziger Quickfix: umschalten auf den Browser-Upload.
    ……

29. 29 On November 10th, 2008, DiggLife said:

    升级Flash Player 10导致WordPress Flash上传工具失效…

    这两天在后台上传图片时一直无法使用WordPress的Flash上传工具（SWFUploader），点击了Upload之后没有任何反应，只好暂时使用Browser Uploader。因为这个问题正好发生在重装了系统之后，所以怀疑是….

30. 30 On November 10th, 2008, Wordpress, Joomla, Flickr e o bug(?) com Flash Player 10 - GeoWeb said:

    [...] simples busca no Google e voilá cai neste site, onde o autor explica que o Flash 10 dá um erro de segurança com vários plugins de upload que [...]

31. 31 On November 18th, 2008, Ted Nugent said:

    hmmn…

    did it occur to anyone that maybe the solution is to stop using the less secure and non-cross-browser-because-it-is-a-spec-and-not-a-plugin javascript?

    it seems like the real issue is people relying on javascript. at my work we ran into this issue as well, and it is still not resolved unfortunately because the file size of the swf needed…

    but I’m not blaming Adobe for taking responsibility and fixing a security hole. I’m sticking to my original belief that javascripting flash to copy to clipboard is just not a good idea.

    I used to work with javascript… when I was younger and learning the ways of the internet. I guess for very very simple things, I still use javascript where I have to.

32. 32 On November 18th, 2008, Wordpress, Joomla, Flickr, Orkut e o bug(?) com Flash Player 10 - Geoweb said:

    [...] simples busca no Google e voilá cai neste site, onde o autor explica que o Flash 10 dá um erro de segurança com vários plugins de upload que [...]

33. 33 On December 8th, 2008, Otto said:

    @kp, I’m sorry, but until you SHOW me the security issue on FileReference.browse(), then yes, it is theoretical. Adobe can claim “reports” all they like, but they have yet to provide a legitimate demonstration.

    And no, Flash is no longer suitable for production usage, IMO. If they can’t even maintain backward compatibility with their own specification while remaining secure, then they cannot be trusted for production usage. It’s sad really. Adobe has taken a once promising development system and made it suitable only for video and games. Well done indeed.

    Also note that other systems don’t seem to have a problem allowing Javascript to open a File Browse dialog. I refer you to the desktop.openFiles() call in Google Gears (which is also a browser plugin): http://code.google.com/apis/gears/api_desktop.html#Desktop

    I do understand where you are coming from with the way they handled this, as it was clearly stupid on their part to break the entire world with absolutely no response or notice of the fact. However I am upset with the actual change itself. I’m sorry, but it’s straight up idiotic to say that opening a file browser when that’s exactly what the user wanted to do is a “security risk”. If they can’t get interaction information and details from the browser in order to enforce their (mildly retarded, IMO) security model, then they need to rethink their overall design. Flash is a browser plugin. It has access to that information. There are better solutions than simply giving the entire web community the finger.

    >>I’m not sure how much reach out was done to Wordpress or Flickr.

    Nothing was done to reach out to WordPress in any way at all, period. Until Flash 10 was released and somebody using the name “mikechambers” left a couple of weak forum responses, not one word was given. Oh, WP knew it was going to break when they released the Flash 10 beta. But most people just thought it was a bug in Flash 10 that would be fixed. And anyway, WP uses another commonplace piece of 3rd party software to deal with that (SWFUpload), so when they released Flash 10 and it was still broke and SWFUpload had no fix, well, what the hell were they supposed to do?

    If Adobe breaks something and fails to offer fixes for it, then yes, I put full blame on them for it.

    The SWFUpload fix will be in the upcoming WordPress 2.7. And with any luck, Flash will be removed entirely from WordPress 2.8. I hope that WordPress switches to something more stable, like Gears. Google seems more trustworthy than Adobe is, in the long run.

34. 34 On December 8th, 2008, kp said:

    The security issue is quite clear. You could open a dialog to upload files without the user knowing what opened it. It could be made to seem as if the dialog was coming from another trusted app, rather than some random site they happened to browse to, a popup ad, or whatever. If you can’t imagine how this could be exploited, you don’t have a very good imagination. And if a real security issue DID surface before it was handled and addressed by Adobe, you can bet there would even more uproar about it.

    “it’s straight up idiotic to say that opening a file browser when that’s exactly what the user wanted to do is a security risk”

    I don’t think you understand the situation at all. Before this change, ANY script could open the file browser, whether the user wanted to do it or not. You could pop up a tiny window and hide it under other windows, set a 2 minute timer that opens the file dialog, with some phony title. User thinks some other app is asking for a file and unknowingly uploads something.

    Comparison to Gears is not quite right either. Gears has an opt-in security model.

    “To protect users, Gears shows a warning dialog when a site first attempts to use the Gears API. User opt-in is important because Gears allows applications to store data on the user’s hard disk.

    Users can grant or deny access for each security origin. When a user grants access to Gears for a particular origin, Gears remembers this decision for future visits. Denying access is only until the page is reloaded, though users can also choose to never allow a particular site to access Gears. Remembered decisions can later be changed using the Gears Settings dialog, located in the browser’s Tools menu. ”

    Personally, I would love to see this as a solution for Flash as well.

35. 35 On December 9th, 2008, Otto said:

    >>I don’t think you understand the situation at all. Before this change, ANY script could open the file browser, whether the user wanted to do it or not.

    No, I do understand the situation entirely. But I’m not complaining about the PROBLEM. I’m complaining about the STUPID PATCH. Making it so that only interactions from within Flash itself can open the file browse dialog is quite simply a freakin’ stupid solution to this problem.

    If they want only real user interaction to open a dialog, then they need to hook deeper into the browser so that they can actually tell when real user interaction is taking place. Only allowing user interaction from within Flash itself to trigger the method is a half-baked hack, at best. I don’t like my dev environments to have half-baked idiotic hacks in them.

    >>Comparison to Gears is not quite right either. Gears has an opt-in security model.

    Only for certain tasks. A site does not need user permission to open a File Browse dialog in Gears. Note the text at the top of this page: http://code.google.com/apis/gears/api_desktop.html . Specifically note: “Does not require user permission”.

36. 36 On January 18th, 2009, How to make your wordpress and flickr uploads working again, downgrade flash player 10 said:

    [...] users, not to mention that there are a load of bug present on the flash player 10 itself. There are so much talk going around the web about the Flash player 10 issue, but Adobe decided not to look into it, they suggest the developers [...]

37. 37 On February 12th, 2009, Sandeep said:

    i m facing the same bug of flash player 10 which disallows the download dialog to open up without user-interaction. Adobe people should move to the old behaviour of flash player 9.

38. 38 On February 16th, 2009, Using Zeroclipboard for Wordpress Comments - teddY-risatioN™ said:

    [...] functionality offered by many javascript resource sites on the Internet, frustrating millions out there. The reactions from Internet users, although varied, are more or less the same – they wanted Flash [...]

39. 39 On March 5th, 2009, graphicrelief.net said:

    [...] users, not to mention that there are a load of bug present on the flash player 10 itself. There are so much talk going around the web [...]

40. 40 On March 20th, 2009, Phillip McCullough said:

    When are you guys going to do something about this problem?
    Seriously. It’s been months now.

    Even after I replaced my SWFUpload file with the latest version, I still can’t get the image loader to work.

41. 41 On March 20th, 2009, kp said:

    who are “you guys”?

    Adobe is not going to change this behavior. It’s up to those who implement it to change their implementation.

42. 42 On April 20th, 2009, Robert said:

    What I find unfortunate here is that while I can easily change my apps, it stops me from using any good architecture practices. I’d like to see how they code for this in Cairngorm…..

Leave a Reply