Flash Player 10 Security – breaking the web

Aug 17 2008 Published by under ActionScript, Flash

Send to Kindle

[10/29/08 - OK, read the below, but also read the following posts before you get all uppity.]

http://www.bit-101.com/blog/?p=1389

http://theflashblog.com/?p=423

http://theflashblog.com/?p=463

http://www.bit-101.com/blog/?p=1590

http://www.bit-101.com/blog/?p=1608

[That is all. Continue reading my rant.]

OK, I’m being a bit dramatic to get attention, but there is a serious issue here, which I hope Adobe takes notice of and thinks about changing.

Often one of the most frustrating parts of working with Flash is dealing with security issues. I understand completely the need for security in Flash. Any mention of any security loopholes in Flash spreads like wildfire around the Internet and is blown up to represent the end of the modern civilization, and of course, a new reason to NOT use Flash. So Adobe has to clamp down on them. But man, sometimes it feels like they get a little TOO enthusiastic about locking down Flash.

The latest one that’s bugging me is a Flash 10 Player change that only allows you to open a file browse dialog via a direct user interaction such as a button push/mouse click. The idea here is to prevent malicious code from opening a file dialog and perhaps making you think it is for something else, and you wind up uploading some sensitive data to someone else’s server. I can see the point, but it’s creating some havoc.

It seems that various solutions such as SWFUpload use a mix of SWF + JavaScript to allow for file uploading. My understanding is that you click an html upload button that calls a method in the SWf via JavaScript to initiate a file browse and upload. Works fine in Flash 9, but you get a security error in Flash 10.

The real issue is that SWFUpload is what is used by WordPress for their file uploader. So Flash 10 is going to break this feature across the boards in all WordPress installations, which is like eleventy-zillion.

Oh, and there’s another little site that a few people use that implements a similarly coded Flash uploader. I think it’s called Flickr. Yeah, the Flickr uploader is busted in Flash 10.

There are probably plenty of other photo/video/etc. uploaders which are similarly destroyed by this new security feature. Again, I understand the intent, but I seriously hope that Adobe takes a good look at this one and makes it possible for products like SWFUpload to work. Possible workarounds are a “trust” dialog, or just going back to Flash 9 behavior.

Here are some links for further info on this issue:

http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=72&catid=675&threadid=1362693&enterthread=y

http://wordpress.org/support/topic/179104?replies=4

http://trac.wordpress.org/ticket/6979

http://wordpress.org/support/topic/177127?replies=6

http://swfupload.org/forum/generaldiscussion/551

As you can see reading through some of this, the perception by the world at large is that this is a “bug” or it is “broken”, not that it is a “security feature”. Some even interpret this as, “unlikely that Flash 10 will be able to do any sort of file uploading of any kind.” And of course, the recommendation across the board is “don’t upgrade to Flash 10, or downgrade to Flash 9.” Great work guys. Create the best Flash Player EVER (seriously) and then piss people off so much that they don’t want to use it.

Breaking millions of installs of software and disabling some of the features on some of the major sites of the Internet for a percieved security fix is utterly irresponsible and only brings bad press and bad blood to Adobe.

Send to Kindle

43 responses so far. Comments will be closed after post is one year old.

  • Lee Brimelow says:

    Thanks for calling this out Keith. We’ll look into the issue.

    Lee Brimelow
    Adobe

  • Erki Esken says:

    Good thing you called this out Keith. I use the YUI Uploader component in a CMS app and it relies on JS-to-Flash messaging to start selecting files, so that would break with FP10 as well. Adobe, please fix this before FP10 gold.

  • [...] bugit, ihan miten vaan. Keith Peters kirjoittaa blogissaan havainnostaan, että tuleva Flash Player päivitys saattaa rikkoa useita sivustoja (esim. Flickr) ja ohjelmistoja [...]

  • Mike Welsh says:

    These overzealous security restrictions are infuriating. I’ve run into a similar problem — similarly, activating full-screen can only be done by user input in Flash. We wanted to implement a JavaScript full-screen button in HTML, but can’t for the same reason. Not to mention the fact that keyboard input is disallowed in fullscreen mode (why??)! I can totally understand the concern in not wanting to confuse a user or let someone make a “BSOD” Flash or something, but limiting usability can be counterproductive.

    Here’s another one: Security problems with computeSpectrum.
    https://bugs.adobe.com/jira/browse/FP-147
    It seems like the new audio features in Flash 10 will fix this one, though

  • kp says:

    Thanks for acknowledging this, Lee. I fully expect to be tied to a chair and beaten when I visit the Adobe offices tomorrow. :)

  • [...] this post I hope to address some of the concerns raised by Keith Peters in his recent blog post. In the post Keith brings up some existing applications that will be broken because of the new [...]

  • I’ve been watching the discussions about this Flash 10 security change and don’t understand why Adobe is making this change – it breaks so many uploaders. Why are they doing this?

    BTW – How did your visit to Adobe go?

  • [...] Die Info ist immerhin etwas frischer als 4 Monate aber die Aussagen sind auch nicht wirklich erleichternd. Das wird eine große, böse Welle an Aufschreien nach sich ziehen, aber vermutlich kann man es sich leisten, wenn man Adobe – Alternativen unbekannt oder nicht einsatzfähig – ist… [...]

  • This release has also broken JibJab’s “Starring You” movie creation tool due to file upload problems.

  • Jorge Rubiano says:

    In many applications I use the library SWFUpload, recently did the updated Flash Player to version 10.

    I am very concerned, I have read of possible solutions, such as a flash of film hidden (Lee Brimelow), but this solution does not find it effective for applications that have been made.

    I understand that this solves a problem of security, but also incurs a problem for people utlizamos bookstores such as the SWFUpload

    It is also worrying that as incovenientes to resolve this, stop future applications

    We appreciate the cooperation we can give

  • Nicolas says:

    For the record, I already notified the Adobe team about the issue a few weeks ago. I was answered that it was a “security feature” (meaning : not negotiable) and that they will look at fixing that in “future release”.

    I’m also quite pissed off about the issue, especially since there is no workaround.

  • Klabusterbärchen says:

    this kind of fu*k is a waste of time.

    not that I even spend much time uninstalling and installing 10 again and again,
    now that i found out its a bug, i can search the bloody adobe page for downgrading
    to 9 which – after 13 minutes of search – i still dont find .. except this here.

    thanks.

  • Danny says:

    The URLLoader API is also affected by this broken incompatibility. How come these incompatibilities were not communicated clearly to developers?
    Why are no workarounds announced at Adobe Developer site?

    I fully understand why Google and Apple do not choose Flash as their strategic platform. We are seriously consider not to use flash again in our platform. We really don’t know what will be changed in the future by Adobe that will screw all of our applications.

    Leason learned: Not to put all your egg in one basket, especially a basket that you can not really trust.

  • [...] Adobe “сломал” Ð¸Ð½Ñ‚ернет Adobe выпустил Flash Player 10 и, накрутив в настройках безопасности, сознательно и легко сломал дохрена сайтов, использующих flash-upload скрипты, в том числе и мой russotravel.ru. Ну это еще ничего, вот фликру и вконтакте наверное обиднее Ax да сломалось n-ое безмерное количество блогов на wordpress, в плагине галерей которых также самым удобным способом загрузки был flash. Заносим Adobe в список уродов и думаем, как решить проблему. <!– lj-cut>Кратко суть такова, что окно выбора файлов для загрузки теперь нельзя инициировать через JS и Ñ‚.п., только по действию пользователя – клику на флеш-компоненте.<!==–>Кому интересны подробности:* (ru) * (en) http://www.adobe.com/devnet…* (en) http://theflashblog.com/?p=423* (en) http://bit-101.com/blog/?p=1382 [...]

  • Coker says:

    Hey Keith,
    Thanks a lot. Am sure adobe won’t do anything about this and for now, the thing is downgrade to Flash player 9! Had quite some issues when clients started writing they cant download from our download pad, only to find it a Flash 10 “Bug”, told them to downgrade to 9 anyway for now.

    Thanks for raising this.

  • kp says:

    Just advising clients to downgrade is not a realistic option. It’s fine if your client is one company – they are the only one using the app. But what about WordPress or Flickr. They have millions of users. Sure you can tell them all to go to Flash 9, but with auto update and most of them not really understanding or caring about Flash Player versions, most are just going to see a broken uploader and blame WordPress or Flickr.

    Since Adobe is NOT going to “fix” this – as they don’t see it as broken, but a security feature – it is up to WordPress, Flickr, etc. to make uploaders that will work with Flash 10. You can bitch about it and complain and start public activism movements, but the reality is Adobe probably isn’t going to change it and if your uploader is broken by it, your clients are going to blame you.

    Personally, I don’t see what the problem is with just exposing a flash-based button. You’re already embedding flash on the page and using it. Why is it so important that the button be an html button? The only problem is using html and javascript on the page to call a hidden flash upload script. If you expose a flash button and have its click start the upload, the upload works just fine.

  • [...] Flash Player 10 Security – breaking the webFile upload not workingFlash Player 10 Beta breaks file uploadLa soluzione di WordPressL’articolo del bug su flashBlog Categoria: Dalla teoria alla pratica top [...]

  • [...] and source files to work in IE6 (turned out to be a pathing issue), as well as Flash Player 10. FP10 disallows opening the download dialog without user interaction, so I’ve added in a “download” button to accommodate for the change. [...]

  • hellotaru says:

    There is another major problem other than the security issue.

    I have a AS2 swf embeded within a AS3 swf, which works perfectly under FP9, but it doesn’t works on the release version of FP10.

    I can downgrade my own computer back to FP9, which I did, but unfortunately, I have no control over other people who view my site, most of whom are not tech people, they don’t know and don’t care what FP their browsers are equipped with, and they will only think it’s bad programming on my part. Thanks a lot, Adobe.

  • [...] will not dig too deeply into the pros and cons because they have been discussed at length. What matters is how to solve the problem that has dramatically affected not only [...]

  • Otto says:

    It seems likely that because of this, WordPress will be dropping the support for Flash uploads and switching to something more stable. Talk has been about using Gears to do “nice” file uploading instead, as it’s relatively stable and does indeed support this sort of thing.

    Flash 10 is clearly not suitable for production usage if they’re going to intentionally break functionality everywhere.

  • kp says:

    otto, Adobe is not “intentionally break[ing] functionality everywhere”. and flash is more than suitable for production usage, as demonstrated by the millions of in-production SWFs out there. Let’s not get carried away.

    I was one of the first ones to call this out, so I’m not defending them, but I do understand the decision from a security viewpoint, after Lee described it. And as Lee pointed out, this is no different than the exact same restrictions that html has. You can’t initiate a file dialog without mouse interaction.

    What does piss me off is the way Adobe handled this. They just released it with no notice of such a major change. It broke several major sites and applications and there was little or no reachout to those sites to help them solve the problem. Until I wrote this post, the only Adobe response was in the bug tracking system where some engineer wrote a comment to the effect of “well WordPress is going to have to do it a different way”. Lee was the first one at Adobe to publicly address the issue. I’m not sure how much reach out was done to WordPress or Flickr.

    Also, note that SWFUpload has been updated to work with this issue. This is what WordPress uses, and I think Flickr might use it to. So they can now upgrade to the new version of SWFUpload if they want to keep using the Flash solution. Or they can switch to gears or whatever else if they want to go that route. I just hope they do *something* soon and stop whining about Adobe.

  • Not being a technical person, but one who posts to a WordPress blog daily, I couldn’t understand why when I went to upload photo’s, which are essential to my blog, I could not do it today. Finally I went on some forums and one of the moderator’s said, “you recently downloaded adobe flash player 10 didn’t you?” And the answer was yes, just yesterday.
    So now 9 hours and no posts later I am still trying to solve the problem and am very upset and frustrated!!!
    I need to have it spelled out to a novice who uses a MAC OS10 Powerbook,what do I do to correct this problem? How do I downgrade to Flash 9? Do I need to uninstall and then reinstall? Will this fix it?
    Please help. I am at my wits end, have lost one entire day, and need to post tomorrow AM. Also I have to say this is going to make me quite leery of just pressing the “install” button next time. I never dreamed I would be hurt like this.
    Thank you,
    Audrey
    http://www.cracksinsidewalks.com

  • [...] have seen a lot of people complaining about this (and Adobe has responded really well and explained their solid reasoning), [...]

  • [...] Problem war. Etwas Googeln lies dann allerdings auf ein größeres Problem schließen. Der Uploader scheint auch in WordPress so seine Probleme zu machen. Richtig konkret wird es dann in diesem Beitrag. Letztlich machten dann dieser Beitrag und [...]

  • Eternal says:

    Also would note that Programming Functionality For Newer Games Being Developed, Are Causing Errors in Flash 9 & 10. Constant Lagging on New And Old Computers.

    I’m using Self Built 850mhz Intel With PCI Nvidia G Force 5500 with 528mb of Ram. Using Linux ver.8.04 Kubuntu. High Speed cable. Very Stable And Fast For What I Need It For.

    Thanks For Listening.

  • WordPress: Flash-Upload funktioniert nicht (mehr)…

    Mit der neuen Flash-Version 10 versagt der Flash-Upload seinen Dienst. Davon ist unter anderem auch WordPress betroffen. Einziger Quickfix: umschalten auf den Browser-Upload.
    ……

  • DiggLife says:

    升级Flash Player 10导致WordPress Flash上传工具失效…

    这两天在后台上传图片时一直无法使用WordPressçš„Flash上传工具(SWFUploader),点击了Upload之后没有任何反应,只好暂时使用Browser Uploader。因为这个问题正好发生在重装了系统之后,所以怀疑是….

  • [...] simples busca no Google e voilá cai neste site, onde o autor explica que o Flash 10 dá um erro de segurança com vários plugins de upload que [...]

  • Ted Nugent says:

    hmmn…

    did it occur to anyone that maybe the solution is to stop using the less secure and non-cross-browser-because-it-is-a-spec-and-not-a-plugin javascript?

    it seems like the real issue is people relying on javascript. at my work we ran into this issue as well, and it is still not resolved unfortunately because the file size of the swf needed…

    but I’m not blaming Adobe for taking responsibility and fixing a security hole. I’m sticking to my original belief that javascripting flash to copy to clipboard is just not a good idea.

    I used to work with javascript… when I was younger and learning the ways of the internet. I guess for very very simple things, I still use javascript where I have to.

  • [...] simples busca no Google e voilá cai neste site, onde o autor explica que o Flash 10 dá um erro de segurança com vários plugins de upload que [...]

  • Otto says:

    @kp, I’m sorry, but until you SHOW me the security issue on FileReference.browse(), then yes, it is theoretical. Adobe can claim “reports” all they like, but they have yet to provide a legitimate demonstration.

    And no, Flash is no longer suitable for production usage, IMO. If they can’t even maintain backward compatibility with their own specification while remaining secure, then they cannot be trusted for production usage. It’s sad really. Adobe has taken a once promising development system and made it suitable only for video and games. Well done indeed.

    Also note that other systems don’t seem to have a problem allowing Javascript to open a File Browse dialog. I refer you to the desktop.openFiles() call in Google Gears (which is also a browser plugin): http://code.google.com/apis/gears/api_desktop.html#Desktop

    I do understand where you are coming from with the way they handled this, as it was clearly stupid on their part to break the entire world with absolutely no response or notice of the fact. However I am upset with the actual change itself. I’m sorry, but it’s straight up idiotic to say that opening a file browser when that’s exactly what the user wanted to do is a “security risk”. If they can’t get interaction information and details from the browser in order to enforce their (mildly retarded, IMO) security model, then they need to rethink their overall design. Flash is a browser plugin. It has access to that information. There are better solutions than simply giving the entire web community the finger.

    >>I’m not sure how much reach out was done to WordPress or Flickr.

    Nothing was done to reach out to WordPress in any way at all, period. Until Flash 10 was released and somebody using the name “mikechambers” left a couple of weak forum responses, not one word was given. Oh, WP knew it was going to break when they released the Flash 10 beta. But most people just thought it was a bug in Flash 10 that would be fixed. And anyway, WP uses another commonplace piece of 3rd party software to deal with that (SWFUpload), so when they released Flash 10 and it was still broke and SWFUpload had no fix, well, what the hell were they supposed to do?

    If Adobe breaks something and fails to offer fixes for it, then yes, I put full blame on them for it.

    The SWFUpload fix will be in the upcoming WordPress 2.7. And with any luck, Flash will be removed entirely from WordPress 2.8. I hope that WordPress switches to something more stable, like Gears. Google seems more trustworthy than Adobe is, in the long run.

  • kp says:

    The security issue is quite clear. You could open a dialog to upload files without the user knowing what opened it. It could be made to seem as if the dialog was coming from another trusted app, rather than some random site they happened to browse to, a popup ad, or whatever. If you can’t imagine how this could be exploited, you don’t have a very good imagination. And if a real security issue DID surface before it was handled and addressed by Adobe, you can bet there would even more uproar about it.

    “it’s straight up idiotic to say that opening a file browser when that’s exactly what the user wanted to do is a security risk”

    I don’t think you understand the situation at all. Before this change, ANY script could open the file browser, whether the user wanted to do it or not. You could pop up a tiny window and hide it under other windows, set a 2 minute timer that opens the file dialog, with some phony title. User thinks some other app is asking for a file and unknowingly uploads something.

    Comparison to Gears is not quite right either. Gears has an opt-in security model.

    “To protect users, Gears shows a warning dialog when a site first attempts to use the Gears API. User opt-in is important because Gears allows applications to store data on the user’s hard disk.

    Users can grant or deny access for each security origin. When a user grants access to Gears for a particular origin, Gears remembers this decision for future visits. Denying access is only until the page is reloaded, though users can also choose to never allow a particular site to access Gears. Remembered decisions can later be changed using the Gears Settings dialog, located in the browser’s Tools menu. ”

    Personally, I would love to see this as a solution for Flash as well.

  • Otto says:

    >>I don’t think you understand the situation at all. Before this change, ANY script could open the file browser, whether the user wanted to do it or not.

    No, I do understand the situation entirely. But I’m not complaining about the PROBLEM. I’m complaining about the STUPID PATCH. Making it so that only interactions from within Flash itself can open the file browse dialog is quite simply a freakin’ stupid solution to this problem.

    If they want only real user interaction to open a dialog, then they need to hook deeper into the browser so that they can actually tell when real user interaction is taking place. Only allowing user interaction from within Flash itself to trigger the method is a half-baked hack, at best. I don’t like my dev environments to have half-baked idiotic hacks in them.

    >>Comparison to Gears is not quite right either. Gears has an opt-in security model.

    Only for certain tasks. A site does not need user permission to open a File Browse dialog in Gears. Note the text at the top of this page: http://code.google.com/apis/gears/api_desktop.html . Specifically note: “Does not require user permission”.

  • [...] users, not to mention that there are a load of bug present on the flash player 10 itself. There are so much talk going around the web about the Flash player 10 issue, but Adobe decided not to look into it, they suggest the developers [...]

  • Sandeep says:

    i m facing the same bug of flash player 10 which disallows the download dialog to open up without user-interaction. Adobe people should move to the old behaviour of flash player 9.

  • [...] functionality offered by many javascript resource sites on the Internet, frustrating millions out there. The reactions from Internet users, although varied, are more or less the same – they wanted Flash [...]

  • [...] users, not to mention that there are a load of bug present on the flash player 10 itself. There are so much talk going around the web [...]

  • When are you guys going to do something about this problem?
    Seriously. It’s been months now.

    Even after I replaced my SWFUpload file with the latest version, I still can’t get the image loader to work.

    • kp says:

      who are “you guys”?

      Adobe is not going to change this behavior. It’s up to those who implement it to change their implementation.

  • Robert says:

    What I find unfortunate here is that while I can easily change my apps, it stops me from using any good architecture practices. I’d like to see how they code for this in Cairngorm…..

  • [...] users, not to mention that there are a load of bug present on the flash player 10 itself. There are so much talk going around the web about the Flash player 10 issue, but Adobe decided not to look into it, they suggest the developers [...]