Category Archives: Flash General

XP SP3 downgrade the Flash Player

Posted on by
5

Update: Apparently SP3 doesn’t downgrade the player. It’ll only install an older version 9.0.115 if you don’t have the latest 9.0.124 already installed, according to this blog post from Ryan Stewart. More info here.

The latest Windows XP service pack 3 comes bundled with the old 8.0.24.0 version of the Flash player. This version, beside not being able to play back some of the latest web content, has some major security flaw, along with a weaker security model and some other bugs.

If you apply this update to your windows system, make sure you install the latest Flash player from here.

Security flaws in FLA files

Posted on by
Reply

FLA is one of these file format that we’re used to freely open without any fear. Our complete confidence is going to change since a new exploit has been found. This exploit enable an attacker to manipulate an FLA file in a way that, when loaded into the Flash CS3 or 8 IDE, it will execute arbitrary code on our machine.

No need to panic, it’s unlikely that too many of the malicious FLA files are floating around. Just don’t run any untrusted FLA files until Adobe will issue the fix.

More info

Technical info

OSE instead of SEO

Posted on by
1

The promise of google to have a human like understanding of the Internet it crawls has yet to reach reality. My point is that, we should start to expect Optimized Search Engines (OSE) instead of painfully optimizing our content for them (SEO). Currently search engines can’t understand RIA (Rich Internet Application), websites written in Ajax Flash and SilverLight, and the authors of these websites need to invest a lot of resources to make it SEO. As RIA become bigger and more significant part or the Internet daily, what use is a search engine that can’t understand it? It’s the age of obscurity all over again, the age before google.

This clip (02:22) has reminded me of the old promise that google will see and understand the web the same as we humans do, a promise which wasn’t really fulfilled. I know there is a big technological challenge in that, hey google can’t do it yet, but the one that will do it the best might be the next google.

The search engine game might be open again since the late 90th.

Technologies never cry

Posted on by
1

I’ve been thinking lately, will I leave my beloved Flash and jump to the newer SilverLight?! After all that Flash did for me, made me the man I am today, got me this cool job I’m happily manage to wake up (almost) every morning to go to. Will I just leave that all behind? I know SilverLight is still underage but it might become very sexy eventually. What if it’ll become the better technology, can I just dismiss all of our past together, me and Flash, that is? I might also have an easier time pushing SilverLight then Flash, in my area. I’m defiantly gonna play with the real SilverLight (ver 2.0) when it’ll come out, that might be fun.

I believe a lot of us Flashers share the same feeling. Lately this has been recognized even by our native Adobe branch (Israel) which was ignoring us, flashers, completely till now. They have set a Flex3 / Air conference for tomorrow (25.2.2008), which is the exact same day that Microsoft is doing her local Silverlight conference. As for myself, I’m gonna jump between conferences, have the best of both worlds, eat the cakes and have it too, they’ll probably be a lot of cakes :)

Again, I would like to give Microsoft credit for it’s SilverLight showoffs, even though it’s funded with lots of MS money. The latest is the Microsoft Virtual Events. For me, it didn’t worked in FireFox, gave me some error. Tried in IE7, although it was a lengthy load again (more then 8 mega), the experience was not that good, with lots of too long delays and un-intuitive behaviors and eventually some Javascript errors. maybe it’s mainly a matter of design and not the technology to blame, but this is a Microsoft website, if they don’t know how to use their own technology, then who will.

Compare it with one of the latest Flex showoff, funded with developers passion.

What I would really don’t like to see is that MS will win this fight even though it’ll provide the inferior technology. We’ve all seen it happen in the past, but, I still believe, this time the game is different. If they can really excel Flash then they should be the winners, but, as objective as I can possibly be, I believe they’re still far from it.

I would like to see both of these technologies nurturing each other with the competition. I’m not sure that Flash/Flex would have received such frantic amount of updates in such a short time if it wasn’t for MS upcoming competition. So, so far it’s been great and it’s gonna be even more interesting.

P.S. Maybe this guy can already convince you to make the move to SilverLight :D

Thoughts about the pug dog screen cleaner

Posted on by
8

If you haven’t seen this cool pug cleaning your screen then click here. This cool Flash video embed inside a simple swf was floating all over the web for the past month or so.

The first think that came to mind was, lets turn this into a screensaver. Which introduced me to this great 100% freeware, swf to screensaver, Instantstorm. Only then I’ve realized that, it fits too perfectly as a screensaver to not already be a screensaver. indeed, after googleing I’ve found it here and a similar concept here (I wouldn’t install these, might contain ad-wares).

The most interesting thing bout this is, how something that had almost no existent became as viral as hell when it was re-distributed as a simple link to a swf file. No play button, no scrubber, and no nothing, follow the link and you get it filling the whole browser space and the experience starts immediately. Sometimes a link to a swf may be the best way of distribution.

If you’ll put in the pressure they will Flex

Posted on by
5

I have written before about my previous working place and how I’ve desperately tried to convince my superiors over there to make the move to Flash/Flex instead of our homebrew Active-x. Back then my CTO rudely dismissed the idea every time it came up.

More then two years after I’ve written this article, he (the CTO) was let go, and the company decided to make the move to Flash. I was no longer working there, but, it became a live or die situation for the company. It might seems that the CTO was the main blockage for this move but he wasn’t the only one. Almost anyone that had an opinion was against Flash. I remember my team leader determining repeatedly “It will never be Flash”. How about some hat eating, if you got any hats left ;)

It might sounds like I’m breaking even with them in this post, and it’s a somewhat true, but I still care for their success and do still keep in touch with most of them and help when I can. It’s just annoys me that people can be so short sighted sometimes.

Anyway, they are currently in an advanced phase of the development, rewriting the homebrew active-x functionalities in Actionscript 3.0. They use the Flex 2 editor although they use little to none of the Flex 2 framework.

Though it saddens me a little, that it was such a painful process for them to turn to the right path and also that I didn’t get to develop this cool Flash product by myself. I believe that I have set the foundation for this move, brightening on the capabilities of AS3 and the Flash VM2 and how it can switch the active-x. So I do feel comforted by the fact that they managed to do it, even if it’s in the 11th hour.

These days I work for jajah, which though it is a larger company, it is still much more younger and dynamic. But still, I encounter some of the same ignorance regarding Flash and non Microsoft technologies. While the use of Flash/Flex isn’t something that is life changing for jajah, yet. We can use it in a lot of places to improve our products. We recently released the Jajah Flash widget and currently working on some Flex stuff.

I still, from time to time hear the same old cliche, “How is your Macromedia/Adobe stocks are doing?”. The fact is that I’ve never had any Adobe stocks, the fact is that I’ve never argued for the use of Flash when it wasn’t simply the best or the only solution. When their will be any alternatives then we’ll see. Since then – Open your eyes, be flexible!

I will present my previous company cool new, Flash driven, product and all of the details, in here, ASAP.

Social Engineering Exploits using Flash

Posted on by
Reply

Apparently Adobe has fixed the bug I’ve found that enables a swf file to crash the browser, with the last version of the Flash Player (9,0,115,0). I don’t know if it’s related to my post, but, anyway it’s good that it’s been fixed.

Since it’s already fixed, I just want to give an example of how this could have been exploited with a little Social Engineering. This example might look stupid to you and you would have never fall for it but remember, first, it’s only an idea, the real attacker might be more creative, second, some Internet users are far from savvy and might fall for crazier stuff then this.

In this example, the naive user will reach a web site with this text: “I’ve installed a virus on your windows machine and now have full control of it and your FireFox browser. You have exactly 1:00 minute to donate 10$ to my account, click here to donate. If you fail to donate in the appropriate time I will disable your browser for a few minutes. This will be your first and last warning. Afterwards you have exactly 10 minutes to return to this page and complete your donation or your system and personal data will be compromised and damaged permanently. The only way you can remove the virus from your machine is to donate from this page”.

The details like OS and browser will be interchangeable with the real user spec. The user will see the 1:00 minute timer counting, when it’ll reach 0:00, boom! the browser crashes using the Flash bug, if the user try to close the browser or the tab, Javascript’s onbeforeunload can be used to crash the browser and also add some scary alert.

[js]window.onbeforeunload = function()
{
//flash.kill();
return “If you leave this page without donating your system will be lost!!!”;
}[/js]

Some of the users will have enough fear in them to return and donate to the attackers PayPal account. Sound crazy?! Some have been known to fall for crazier phishing tricks. I personally know a few. Take care of the dummies near you.

Resolving some issues with swfobject

Posted on by
2

There are some known issues with swfobject and ASP.NET, infact it’s not just with swfobject but also with the Flash object in general, one issue of using ExternaInterafce from an ASP.NET Form can be solved with these technics

I had a strange issue with swfobject lately and obviously I’ve blamed ASP.NET for inserting unwanted code into my pages and causing problems. Generally it’s reasonable to blame it as it does make a mess sometimes, but, this time it was my fault for not noticing other Javascript code is conflicting with swfobject.

The issue I had, was with the swfobject’s addVariable and addParam functions. The Flash SWF HTML seemed to be written to the page’s flashContent div but all of the variables and parameters I’ve added were ignored. After examining the swfobject getSWFHTML function, this function gives you the HTML code that is gonna embed the Flash inside the page, when I saw how strange the HTML is, I realized what happened:
Without naming names ;) some Javascript developers, extensions and frameworks like to write to the prototype of generic Javascript objects (This is also how Object Oriented Actionscript 1 was done in the past). And with doing so, extending these built-in objects (object, array, string, etc’) with various functionalities. A good example is the javascript JSON implementation which extends the Javascript object with object.toJSONString(). Swfobject stores the variables and parameters inside a regular Javascript object and when it prepares the Flash HTML it uses a for..in loop to go through all the elements and add them to the markup
<param value=”flashMovie.swf” name=”movie” />
<param value=”transparent” name=”wmode” /> etc’

in case you’re using the json.js, your HTML will have also
<param name=”toJSONString” value=”function (w) {….and whole lotta mess” />.

This might cause the embedding of the Flash movie to fail or function improperly.

The solution for this is to add a check to all of the for..in loops inside swfobject with the hasOwnProperty, for example:

[JS]for(key in variables){
if( variables.hasOwnProperty( key ) )
{
variablePairs[variablePairs.length] = key +”=”+ variables[key];
}
}[/JS]

The hasOwnProperty function returns true only if the property is not built-in and not in the prototype chain. Therefor the toJSONString in our example will return false and wont be considered as a flash variable or parameter.

When encountering issues with the swfobject a good place to check is the swfobject.getSWFHTML() function.
[JS]var o=new SWFObject(“flashFile.swf”,”falshMovie”,200,300,”9″,”#FFFFFF”);
o.addVariable(“firstName”,”Jon”);
o.addVariable(“lastName”,”Smith”);
o.addParam(“wmode”,”transparent”);

//exmine the html before it’s being writen to the div
alert(o.getSWFHTML());

o.write(“flashContent”); [/JS]

More related info about hasOwnProperty.