&ot Information Gift: June 2002 Archives

June 25, 2002

Macromedia Flash Player Cross Server Scripting Security Issue

Here's a security alert for Flash-based content from a couple weeks ago (remember, I *did* say this would be a sporadic mailing). The upshot is that next month Macromedia will release a maintenance version of Flash that may limit a particular usage involving getUrl specified script statements. If your developers are employing or planning on employing this functionality, be aware that it may fail in this impending release of the plug-in/control.

Now that that's out of the way -- on to the alert!

 MPSB02-08 - Macromedia Flash Player Cross Server Scripting Security Issue

Originally posted: June 13, 2002
Last updated: June 13, 2002

Summary
Macromedia has recently become aware of a security loophole that exists when Macromedia Flash (SWF) content coming from one domain is included in an HTML page located on a different domain, creating the ability to read and transfer data, such as cookies, from the HTML server domain to the Macromedia Flash domain. Web sites that host Macromedia Flash content directly from their own Web site domain are not affected by this issue.

Issues
An important security restriction in client-side scripting is that script code is not allowed to inspect, modify, or otherwise interact with any documents that come from a Web domain other than the one from which the script itself came. When Flash movies are hosted within HTML pages they can define and call their own script code using the ActionScript getURL() function. When this occurs, cross-domain security is not enforced between Flash movies and the HTML pages in which they are hosted. This means that it is possible to author Flash movies that interact with their surrounding HTML pages even though the movie and its host page may reside in separate domains. This issue occurs with the ActiveX version of Macromedia Flash Player for Internet Explorer and the Netscape plugin for Netscape Navigator. This issue can only affect websites containing HTML pages that directly source Flash movies that are served from other domains and could be written by individuals not directly trusted by the operator of the Website. Examples of this kind of arrangement could include sites that aggregate third party Macromedia Flash content and Flash-based "signatures" in message board posts.

Solution
A simple solution is to create a cross-domain HTML-to-HTML boundary between the main pages of a Website and any untrusted Macromedia Flash movies that that site wishes to display. Website operators can do this by creating a "wrapper" HTML page around the Flash movies in question. The wrapper page must be separate from the main hosting page; it might be in a separate browser window, a separate browser frame, or an IFRAME. The wrapper page must be in a different domain than the main hosting page. For example, if the main page is served from macromedia.com, the wrapper page could be served from external.macromedia.com, and this would prevent any Macromedia Flash movies inside the wrapper page from accessing data associated with macromedia.com. This technique depends on Web browsers to enforce cross-domain scripting security, and it is important to be aware that different browsers vary in their implementations of cross-domain security.

What Macromedia Is Doing

Macromedia will release an updated Macromedia Flash Player in the July timeframe that will introduce an easy way to control content with the following option: Web pages that source Flash movies can pass a new parameter to the Macromedia Flash Player from the HTML code (PARAM tag for Internet Explorer, EMBED tag for Netscape Navigator).
This parameter is called "AllowScriptAccess". It can have two possible values: "always" and "never".

* When AllowScriptAccess is "never", outbound scripting (ActionScript getURL() actions that specify a scripting statement) will always fail.
* When AllowScriptAccess is "always", outbound scripting will always succeed.
* If AllowScriptAccess is not specified by an HTML page, it defaults to "always".

Macromedia is committed to the security of the Macromedia Flash Player, and invests considerable ongoing effort to ensure that the security and privacy of all Macromedia Flash Player users and all websites serving Macromedia Flash content are protected.


What Customers Should Do

Customers should follow the recommendations found in this bulletin and download the newer Flash Player when it is available.


Revisions

June 13, 2002 - Bulletin first released.


Reporting Security Issues

Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security.

ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Macromedia reserves the right, from time to time, to update the information in this document with current information.

Posted by Lewis Francis at 12:07 AM | Permalink