Adobe recently update the flash player version to to fix some serious security issues found in last version of flash player 9.0.48.

So what are the changes in new version of flash player for flash developer perspective? Here are the issues that personally affect me and my team.

Stricter method to interpret crossdomain policy files:

  1. Policy files formatting are now stricter. Here are the cases, which can cause rejection of your crossdomain policy files:
    1. Any extra content before or after the start and closing tag cross-domain-policy.
    2. Top level XML tag is not cross-domain-policy.
    3. Any text other than comments found inside any tag of the policy file.
  2. Adobe published new schemas for various cases of crossdomain policies as following:
    1. Generic Schema:
    2. Schema for FTP:
    3. Schema for HTTP:
    4. Schema for HTTPS:
    5. Schema for Socket communication:
  3. Same domain redirection of policy files
    1. Redirection inside same domain is still allowed in new flash player version.
    2. If policy file located at domain/a/crossdomainpolicy.xml is set to redirect at domain/b/crossdomainpolicy.xml, in that case it would treated policy file for folder domain/b not domain/a.
  4. Content-type whitelist
    1. Policy file’s content-type must be either text/* or application/xml or application/xhtml+xml
    2. Flash player will ignore any HTTP policy file that is not sent with a Content-Type value.
    3. Intention of whitelist is to give some assurance that the file is intended to be a text file.
  5. Stronger socket communication rules
    1. From this player version onwards, it’s required to define socket communication port number in the socket policy file.
  6. New: Meta-policies
    1. Meta-policies are defining which policy files are permitted to exist on a server.
    2. Meta-policies normally defines, which kind of flash player related services are hosted on this server and it’s sub folders.
    3. Scope for Meta-policies is for HTTP, HTTPS, FTP and Sockets.
    4. Currently, its not too important unless and until you are super administrator of lot many flash player services like Yahoo! and Google.
  7. Policy file logging
    1. It requires debug version of flash player.
    2. To enable logging, you need to edit mm.cfg which is normally located inside your home folder depending on your operating system.
    3. Default locations for mm.cfg are as following:
      1. Windows: C:\Documents and Settings\username
      2. Windows Vista: C:\Users\username
      3. Macintosh and Linux: /home/username
    4. Create mm.cfg if it does not exist.
    5. It should have following settings:
      1. PolicyFileLog=1
      2. PolicyFileLogAppend=1
    6. Line (i) will enable logging of policy files and line (ii) will continue appending logs instead of clearing log file if root-level SWF is used.
    7. After doing this, if you load any SWF file in your debug version of flash player, it should create policyfiles.txt in following folders according the operating system:
      1. Windows: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs
      2. Windows Vista: C:\Users\username\AppData\Roaming\Macromedia\Flash Player\Logs
      3. Macintosh: /Users/username/Library/Preferences/Macromedia/Flash Player/Logs
      4. Linux: /home/username/.macromedia/Flash_Player/Logs
    8. Main message which is added in this log file is “Root-level SWF loaded“. This indicates that policy file logging is working fine.
  8. Complete article on Adobe Devnet can be found here.

Restriction on unsupported function asfunction:

This was the main protocol to address potential cross-site scripting issues with some SWF files. As it was updated after Flash Player 8, it has nothing to do with Flash Player 7.

Downloading the update:

To download latest update please point your browser to here.

Interesting Links: