Flash Player Air



This information was sent to IT staff groups via email on May 13, 2015, with an update on May 27, 2015.

This message is intended for U-M IT staff who are responsible for maintaining and running university machines that have Adobe Flash Player and/or Adobe AIR products installed.

What is Replacing Adobe Flash Player. Adobe Flash Player is one of the few softwares that had a lot of popularity as it brought interactive content to the Web world and also introduced a new level of animation is now reaching the end of its life. The Flash Player plug-in has always been one of the must-have plug-ins among the PC users until the. Adobe AIR also uses Flash Player technologies to properly deliver rich internet applications on desktop and mobile devices. In terms of security, both Adobe AIR and Flash Player have multiple vulnerabilities. However, it’s safe to say that the latter has a higher risk. CpuAddressSize - Specifies whether the Flash Player or AIR application running on the system is 32-bit or 64-bit. API Reference Flash Player 31 and AIR 31 (September 11, 2018).

May 27 Update: Adobe Flash Player vulnerability CVE-2015-3090 is now being actively exploited. Unpatched machines can be compromised in order to deliver malware. Update affected machines as soon as possible. MiWorkspace-managed machines have been patched and are no longer at risk.

Summary

Flash Player Air

On May 12, Adobe released another set of security updates for Adobe Flash Player and AIR products for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions.

Player

Affected Versions

Flash Player Fo Macbook Air

  • Adobe Flash Player 17.0.0.169 and earlier versions
  • Adobe Flash Player 13.0.0.281 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.457 and earlier 11.x versions
  • AIR Desktop Runtime 17.0.0.144 and earlier versions
  • AIR SDK and SDK & Compiler 17.0.0.144 and earlier versions

Action Items

Update Adobe Flash Player to the latest version by visiting Adobe Flash Player Download Center. Update Adobe AIR products by visiting Adobe AIR Download Center.

  • Windows and Mac: Update to Adobe Flash Player 17.0.0.188.
  • Linux: Update to Adobe Flash Player 11.2.202.460.
  • Google Chrome: Will automatically update to version 17.0.0.188.
  • Internet Explorer on Windows 8.x: Will automatically update to version 17.0.0.188.
  • Extended Support Release: Update to version 13.0.0.289 by visiting Archived Flash Player Versions.
  • Adobe AIR desktop runtime: Update to version 17.0.0.172.
  • Adobe AIR SDK and AIR SDK & Compiler: Update to version 17.0.0.172.

Information for Users

MiWorkspace machines will be updated today, May 13. If you have Adobe Flash Player installed on your own devices that are not managed by the university, please update by visiting the Adobe Flash Player Download Center.

Flash Player For Mac

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email,Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports

Please contact iia.inform@umich.edu.

Sincerely,
ITS Information and Infrastructure Assurance

References

Player
  • Adobe Security Bulletin (Adobe, 5/12/15)
  • Adobe, Microsoft Push Critical Security Fixes (Krebs on Security, 5/12/15)
  • Angler EK Exploiting Adobe Flash CVE-2015-3090 (FireEye, 5/26/15)
Air

Flash Player 9 and later, Adobe AIR 1.0 and later

Flash Player Macbook Air

Client computers can obtain individual files containing code, content, and data from a number of sources, such as from external websites, from a local file system, or from an installed AIR application. The Flash Player and AIR runtimes individually assign code files and other resources, such as shared objects, bitmaps, sounds, videos, and data files, to security sandboxes based on their origin when they are loaded. The following sections describe the rules, enforced by the runtimes, that govern what a code or content executing within a given sandbox can access.

For more information on Flash Player security, see the Flash Player Developer Center topic “Security” at www.adobe.com/go/devnet_security_en .

Remote sandboxes

The Flash Player and AIR runtimes classify assets (including SWF files) from the Internet in separate sandboxes that correspond to their domain of origin. For example, assets loaded from example.com will be placed into a different security sandbox than assets loaded from foo.org . By default, these files are authorized to access any resources from their own server. Remote SWF files can be allowed to access additional data from other domains by explicit website and author permissions, such as URL policy files and the Security.allowDomain() method. For details, see Website controls (policy files) and Author (developer) controls .

Remote SWF files cannot load any local files or resources.

For more information on Flash Player security, see the Flash Player Developer Center topic “Security” at www.adobe.com/go/devnet_security_en .

Local sandboxes

Local file describes any file that is referenced by using the file: protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:

  • The local-with-filesystem sandbox—For security purposes, the Flash Player and AIR runtimes place all local files in the local-with-file-system sandbox, by default. From this sandbox, executable code can read local files (by using the URLLoader class, for example), but cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.

  • The local-with-networking sandbox—When compiling a SWF file, you can specify that it has network access when run as a local file (see Setting the sandbox type of local SWF files ).These files are placed in the local-with-networking sandbox. SWF files that are assigned to the local-with-networking sandbox forfeit their local file access. In return, the SWF files are allowed to access data from the network. However, a local-with-networking SWF file is still not allowed to read any network-derived data unless permissions are present for that action, through a URL policy file or a call to the Security.allowDomain() method. In order to grant such permission, a URL policy file must grant permission to all domains by using <allow-access-from domain='*'/> or by using Security.allowDomain('*') . For more information, see Website controls (policy files) and Author (developer) controls .

  • The local-trusted sandbox—Local SWF files that are registered as trusted (by users or by installer programs) are placed in the local-trusted sandbox. System administrators and users also have the ability to reassign (move) a local SWF file to or from the local-trusted sandbox based on security considerations (see Administrator controls and User controls ). SWF files that are assigned to the local-trusted sandbox can interact with any other SWF files and can load data from anywhere (remote or local).

  • The AIR application sandbox—This sandbox contains content that was installed with the running AIR application. By default, code executing in the AIR application sandbox can cross-script code from any domain. However, files outside the AIR application sandbox are not permitted to cross-script code in the application sandbox. By default, code and content in the AIR application sandbox can load content and data from any domain.

Communication between the local-with-networking and local-with-filesystem sandboxes, as well as communication between the local-with-filesystem and remote sandboxes, is strictly forbidden. Permission to allow such communication cannot be granted by an application running in Flash Player or by a user or administrator.

Scripting in either direction between local HTML files and local SWF files—for example, using the ExternalInterface class—requires that both the HTML file and SWF file involved be in the local-trusted sandbox. This is because the local security models for browsers differ from the Flash Player local security model.

SWF files in the local-with-networking sandbox cannot load SWF files in the local-with-filesystem sandbox. SWF files in the local-with-filesystem sandbox cannot load SWF files in the local-with-networking sandbox.

The AIR application sandbox

The Adobe AIR runtime adds an additional sandbox, called the application sandbox, to the Flash Player security sandbox model. Files installed as part of an AIR application load into the application sandbox. Any other files loaded by the application have security restrictions corresponding to those specified by the regular Flash Player security model.

When an application is installed, all files included within an AIR package are installed onto the user's computer into an application directory. Developers can reference this directory in code through the app:/ URL scheme (see URI schemes ). All files within the application directory tree are assigned to the application sandbox when the application is run. Content in the application sandbox is blessed with the full privileges available to an AIR application, including interaction with the local file system.

Many AIR applications use only these locally installed files to run the application. However, AIR applications are not restricted to just the files within the application directory — they can load any type of file from any source. This includes files local to the user's computer as well as files from available external sources, such as those on a local network or on the Internet. File type has no impact on security restrictions; loaded HTML files have the same security privileges as loaded SWF files from the same source.

Content in the application security sandbox has access to AIR APIs that content in other sandboxes are prevented from using. For example, the air.NativeApplication.nativeApplication.applicationDescriptor property, which returns the contents of the application descriptor file for the application, is restricted to content in the application security sandbox. Another example of a restricted API is the FileStream class, which contains methods for reading and writing to the local file system.

ActionScript APIs that are only available to content in the application security sandbox are indicated with the AIR logo in the ActionScript 3.0 Reference for Adobe Flash Platform . Using these APIs in other sandboxes causes the runtime to throw a SecurityError exception.

For HTML content (in an HTMLLoader object), all AIR JavaScript APIs (those that are available via the window.runtime property, or via the air object when using the AIRAliases.js file) are available to content in the application security sandbox. HTML content in another sandbox does not have access to the window.runtime property, so this content cannot access the AIR or Flash Player APIs.

Content executing within the AIR application sandbox has the following additional restrictions:

  • For HTML content in the application security sandbox, there are limitations on using APIs that can dynamically transform strings into executable code after the code is loaded. This is to prevent the application from inadvertently injecting (and executing) code from non-application sources (such as potentially insecure network domains). An example is the use of the eval() function. For details, see Code restrictions for content in different sandboxes .

  • To prevent possible phishing attacks, img tags in HTML content in ActionScript TextField objects are ignored in SWF content in the application security sandbox.

  • Content in the application sandbox cannot use the asfunction protocol in HTML content in ActionScript 2.0 text fields.

  • SWF content in the application sandbox cannot use the cross-domain cache, a feature that was added to Flash Player 9 Update 3. This feature lets Flash Player persistently cache Adobe platform component content and reuse it in loaded SWF content on demand (eliminating the need to reload the content multiple times).

Restrictions for JavaScript inside AIR

Unlike content in the application security sandbox, JavaScript content in a non-application security sandbox can call the eval() function to execute dynamically generated code at any time. However, there are restrictions on JavaScript running in a non-application security sandbox within AIR. These include:

  • JavaScript code in a non-application sandbox does not have access to the window.runtime object, and as such this code cannot execute AIR APIs.

  • By default, content in a non-application security sandbox cannot use XMLHttpRequest calls to load data from other domains other than the domain calling the request. However, application code can grant non-application content permission to do so by setting an allowCrossdomainXHR attribute in the containing frame or iframe. For more information, see Code restrictions for content in different sandboxes .

  • There are restrictions on calling the JavaScript window.open() method. For details, see Restrictions on calling the JavaScript window.open() method .

  • HTML content in remote (network) security sandboxes can only load CSS, frame , iframe , and img content from remote domains (from network URLs).

  • HTML content in local-with-filesystem, local-with-networking, or local-trusted sandboxes can only load CSS, frame , iframe , and img content from local sandboxes (not from application or network URLs).

For details, see Code restrictions for content in different sandboxes .

Setting the sandbox type of local SWF files

An end user or the administrator of a computer can specify that a local SWF file is trusted, allowing it to load data from all domains, both local and network. This is specified in the Global Flash Player Trust and User Flash Player Trust directories. For more information, see Administrator controls and User controls .

For more information on local sandboxes, see Local sandboxes .

Adobe Flash Professional

You can configure a SWF file for the local-with-filesystem sandbox or the local-with-networking sandbox by setting the document’s publish settings in the authoring tool.

Adobe Flex

You can configure a SWF file for the local-with-filesystem sandbox or the local-with-networking sandbox by setting the use-network flag in the Adobe Flex compiler. For more information, see “About the application compiler options” in Building and Deploying Adobe Flex 3 Applications .

The Security.sandboxType property

An author of a SWF file can use the read-only static Security.sandboxType property to determine the type of sandbox to which the Flash Player or AIR runtime has assigned the SWF file. The Security class includes constants that represent possible values of the Security.sandboxType property, as follows:

  • Security.REMOTE —The SWF file is from an Internet URL, and operates under domain-based sandbox rules.

  • Security.LOCAL_WITH_FILE —The SWF file is a local file, but it has not been trusted by the user and was not published with a networking designation. The SWF file can read from local data sources but cannot communicate with the Internet.

  • Security.LOCAL_WITH_NETWORK —The SWF file is a local file and has not been trusted by the user, but it was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.

  • Security.LOCAL_TRUSTED —The SWF file is a local file and has been trusted by the user, using either the Settings Manager or a Flash Player trust configuration file. The SWF file can both read from local data sources and communicate with the Internet.

  • Security.APPLICATION —The SWF file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain. However, files outside the AIR application sandbox are not permitted to cross-script the AIR file. By default, files in the AIR application sandbox can load content and data from any domain.