As you all know, a new version of the Flash player is coming out soon. For the time being you can get it from
Adobe Labs.
The new version is introducing new security rules, and usually new rules are more strict. I guess what happens is that
bad guys find out new security holes and
release exploits. Then Adobe has to move to stop them.
Something that I really like from Adobe is that at least for the last 2 releases of the player, they've published in advanced what the security changes are going to be so developers can prepare. See what's coming on in
Understanding the security changes in Flash Player 10 beta. There's a ton of stuff related to Sockets, cross-domain, local save and upload, etc, I just leave a couple of comments:
Upload and download of files needs "user interaction"User interaction means the user has to click the mouse or the keyboard to start the process:
FileReference.browse and FileReference.download operations may be initiated only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or pressing the keyboard.
This is going to break things like
SWFUpload because to allow an upload system that degrades gracefully they are using a HTML button that calls via JS a Flash function that initializes the upload/download dialogue. Well, no more.
They are not very happy with it but I guess there's no way back on this one, they'll have to find a workaround (as it seems they are doing).
BTW, based on the same principle, setting data on the system clipboard will require user interaction too.
Limited full-screen keyboard inputIn this case things gets
better. Previously when in full screen mode all keyboard input was disabled. New version allows to catch cursors, tab and space bar. Full screeen online games anyone?
-----
And just lately got to know about something called
clickjacking that apparently is going to be the next big thing in internet security after the
DNS disaster. So big that haven't been disclosed yet, it seems that affects all browsers in all operating systems and also Flash.
Luckily for us the good guys found first and they are working with all major guys to fix this, including Adobe as they acknowledge in the, hold to your chair,
Adobe Product Security Incident Response Team blog.
Security always scares me, there's no way in hell you can be 100% sure something is secure. If you do, you either are a fool or a
liar.