Information Gift

Flash 6.0r47 security fix released

On August 8th, Macromedia released a new version of the Flash 6 player to address a recently uncovered security vulnerability, and Macromedia is following the "better safe than sorry" convention of advising all users to upgrade. Full details can be found in the Macromedia Flash URL Modification Issue document on the Macromedia web site.

A couple notes for developers:

If you rely on remote debugging, then you should hold off on upgrading your Flash plugin until debug players for this version are released. As there are no new features or bug fixes other than this security issue, not upgrading should have no effect on your work.

In fact, upgrading may introduce problems in your workflow as Flash 6.0r47 breaks the plugins ability to read values appended to the .swf url if the containing html page is viewed locally instead of from a web server. Many of today's OS come with their own "personal" web servers, which can be used as a workaround for this problem if you need to work off-line.

Interestingly, while Shockwave for Director itself apparently does not suffer this particular vulnerability, Shockwave can play back Flash content, so under certain conditions, a Shockwave movie containing Flash assets may be vulnerable. Macromedia promises to fix this in the next release of the Shockwave for Director player (no release date offered).