Skip to main content
J
jb_burke
Participant
September 22, 2016
Question

Disabling local-with-filesystem access in Flash Player 23

  • September 22, 2016
  • 2 replies
  • 1389 views

With the recent changes in Flash 23 to disable, but still allow for an opt out at the user level, or enable legacy at the system level via mms.cfg EnableInsecureLocalWithFileSystem=1 setting, I am curious how enforcing the default behavior and preventing users from trusting files could be done.

I tested EnableInsecureLocalWithFileSystem=0, hoping that it would prevent users from making changes and trusting content, but that did not appear to work.

I thought about creating a master settings.sol file and using it to overwrite the users settings.sol file, but that just feels like a bad idea to override that file since I don't want to step on all of the user's settings/freedoms, just the one security related setting.

So, how can the new default behavior be enforced at the system level? Additionally, is there a timeframe for when legacy mode will be removed permanently without work around?

    This topic has been closed for replies.

    2 replies

    jeromiec83223024
    jeromiec83223024
    Inspiring
    December 1, 2016

    Hey Jeff,

    On further review, it looks like we already have a flag for this.

    From the System Administrator's Guide (pp26):

    http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_23_0_admin_guide.pdf

    AllowUserLocalTrust

    This setting lets you prevent users from designating any files on local file systems as trusted (that is, placing them into the local-trusted sandbox). This setting applies to SWF files published for any version of Flash.

    AllowUserLocalTrust = [ 0, 1 ] (0=false, 1=true)

    If this value is set to 1 (the default), Flash Player allows the user to specify whether local files can be placed into the local-trusted sandbox, through the use of the Settings Manager Global Security Settings panel and user trust files. If this value is set to 0, the user cannot place files into the local-trusted sandbox. That is, the Settings Manager Global Security Settings panel and user trust files are ignored.

    If that's not adequate for your needs, please let me know so that we can further consider this.

    Thanks!

    jeromiec83223024
    jeromiec83223024
    Inspiring
    September 22, 2016

    That's an interesting suggestion.  I'd be happy to nominate it as a feature for a future release.  It does make a lot of sense, and aligns with other administrative capabilities like disabling camera/mic access across an organization.

    We know for a fact that there are a lot of educational materials still in the world that rely on local filesytem or CD-ROM playback (I know... educational and industrial training videos are long-lived), and we've heard from a lot of folks this week that have been impacted.  The goal with simply flipping the default, was to significantly reduce the attack surface.  Herd immunity, etc.

    For what it's worth, at this point, the user would have to actively download a malicious, crafted SWF, then add it to the local trusted sandbox, and then run it from the local filesystem in order to encounter an attack, at which point, we pop a permission dialog for each request that is made by the SWF to a remote server.  While nonzero, the remaining attack surface is very constrained, and strikes a reasonable balance between functionality and security.

    Microsoft Edge has completely done away with loading files from the local filesystem.  If you attempt to do it, they'll just launch IE for compatibility purposes.  I'm curious to see whether that particular feature is a novelty, or if it's ultimately a change that will be mirrored across the modern browser space.

    Firefly Community Gallery
    Adobe Firefly

    Remix with Firefly Community Gallery

    Thousands of free creations to fall in love with and remix in Firefly.

    Explore now
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices