Sunday, December 23, 2007

extra, extra, Flash Player critical update!

Man, with these Holidays I completely forgot to post this one...
On Dec 18 Adobe released a Security bulletin entitled "Flash Player update available to address security vulnerabilities" which pretty much affects all the major running players in the wild. There's an update and a Flash Payer 7 "patch" for those who can't update. In the big slow moving enterprise intranets patches are received far better than updates :P
So what's up with that little pluginish thing you already have installed and you use to watch YouTube and fancy online experiences?
Well it seems that he's not feeling too peachy in this otherwise joyful and merry time of the year. Multiple input validation errors, DNS rebinding attack aid, privilege escalation attacks against web servers hosting, potential cross-site scripting issues, potential Universal Cross-Site Scripting attacks, HTTP Request Splitting attacks, potential port-scanning issue, Linux memory permissions issue that could lead to privilege escalation. And some Opera on Mac related bug note that made me navigate in a circle in my quest for more details.
Nice list...
Only fair thing to say here is that all these problems are tightly related to the fact that the player runs in the browser, talks and listents to the browser and also because it has to be so darn great at playing rich content from more than one web location.

Also "Adobe is retiring support of Adobe Flash Player 7". Guess I should add an "Your Flash Player version is no longer officially supported" line to my flash detection routine. Or better a quizy like
"Did you know that your Flash Player version is no longer officially supported?"
to make it more fun. With the choices:
  1. "Yes"
  2. "No"
  3. "No, but I didn't know that I have Flash Player installed either. So what is Flash anyway?"
And check out the Acknowledgments!
They forgot Santa though. The big thanks should go to him for lending a shoulder in the general PR effort to soften the impact of these otherwise not so good news...
So what can you do?
Update obviously!
And as a developer you should also read this article. I haven't got to page 13 so you're on your own. But I would skip it. They should jump straight from 12 to 14 when it comes to articles on such sensitive subjects as security :D

Merry Christmas to you all!
Peace to the World!

Monday, December 17, 2007

h4X3 vid30 1.0 r313453d!

If you're doing ActionScript2 for more than a couple of years chances are that you are also using the mtasc compiler. A great piece of software coming from a guy who will rearange the bytes in a swf file any way he likes. Well, any way that makes sense and will squeeze some more performance out of the Flash Player to be more precise.
A guru when it comes to hacking the swf format and the player, Nicolas Cannasse went on to write haXe, his own "web oriented universal language". The adoption may be lower than it truly deserves but they are doing pretty good considering the competition. What amazes me about this language is the stuff they are building on it.
Last one is haXe Video. I haven't played with it yet but man it looks like a master piece of hacking genius!
Just have a look at the source code. And if you have the trained eye then go compare it with the Red5 one :D
Well ok, ok!
Red5 is Java and is features packed. But man, it is a kind of magic :) , isn't it ?