Macromedia Flash

Macromedia Flash, or simply Flash, refers to both a multimedia authoring program and the Macromedia Flash Player, written and distributed by Macromedia (recently targeted for acquisition by Adobe Systems), that utilizes vector and raster graphics, a native scripting language called ActionScript and bidirectional streaming of video and audio. Strictly speaking, Macromedia Flash is the authoring environment and Flash Player is the virtual machine application used to run the Flash files, but in colloquial language these have become mixed: "Flash" can mean either the authoring environment, the player or the application files.

Security

Flash Player uses a sandbox security model, which means that Flash applications running in a browser have very strict and limited resources available to them. The applications cannot, for example, read files from the hard disk (except the cookie-like data they themselves have written). They can only communicate with the domain they originated from, unless explicitly allowed by another domain.

Related Topics:
Sandbox security model - Hard disk - Domain

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Flash Player is, as any application that handles files received from the Internet, susceptible to attacks. Specially crafted files could potentially cause the application to malfunction, by allowing execution of malevolent code. The Player plug-in has had security flaws which may expose a computer to remote attacks. See http://www.macromedia.com/v1/handlers/index.cfm?ID=23569 and http://www.theregister.co.uk/content/55/28645.html for a December 2002 problem, addressed by a public warning and patch from Macromedia. Fortunately, all the security incidents have been only proof-of-concept breaches and never escalated into real-world problems.

Related Topics:
Internet - Execution - 2002

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Flash can retain information locally (in a manner similar, but more extensive, to browser cookies), giving the client the ability to, for example, remember the level or score a user has achieved on a Flash-based game, or the settings used on a previously visited website. This can compromise the security of users' data and privacy, and there are already reports of existing exploitation by advertisers (for example, Persistent Information Element). Most users, including those familiar with Flash who protect themselves from cookies, are unaware of this kind of tracking, which is not curtailed by customary in-browser cookie settings and most cookie-cleaning utilities. The persistent data can be avoided by applying settings described at Macromedia's web site http://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html. The default storage location of these files (for Windows XP) is in the MacromediaFlash Player#SharedObjects of the Application Data directory for each user. This data can only be accessed by Flash Movies from the same domain.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Not all browsers have a direct way for saving .swf files, and many times the context menu

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

of most browsers won't work on Flash objects. However, some browsers like Mozilla Firefox can save .swf files to disk just by performing a "Complete Web page" saving, and searching the associated "..._files" directory for .swf files. Another way, using Adblock, is to click on the Adblock tab, copy and paste the URL of the .swf file into another window, and then "Save Page As", allowing the user to download only the .swf anywhere he chooses. This doesn't work with Internet Explorer and perhaps other browsers. With Internet Explorer one can try however to search for .swf files in the "Temporary Internet Files" directories.

Related Topics:
Mozilla Firefox - Adblock - Internet Explorer

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The files can also be downloaded by using web grabber software such as Wget. Once the .swf file is saved locally, the Flash application files can quite easily be decompiled into its source code and assets. Several available programs extract graphics, sounds and program code from swf files. For example, an open source program called Flasm allows users to extract ActionScript from a swf file as virtual machine intermediate language ("byte-code"), edit it, and then reinsert it into the file. Obfuscation of the swf files makes the extraction infeasible in most cases.

Related Topics:
Wget - Decompiled - Intermediate language - Byte-code - Obfuscation

~ ~ ~ ~ ~ ~ ~ ~ ~ ~