Skip to main content
neillm74133967
neillm74133967
Participant
June 19, 2015
Question

Flash player 17.0.0.188 folder redirection issues with appdata in a unc path on the server

  • June 19, 2015
  • 1 reply
  • 1397 views

Windows 7 and IE8

Since we updated from 17.0.0.169 to 188 we have been encountering issues with flash renderings on desktops with folder redirection and roaming profiles enabled.

No issues on laptops which have local profiles.

Also encounter the same issue with version 18.0.0.160

Could there be new limits to the length of the path to folders in appdata?

Thanks

    This topic has been closed for replies.

    1 reply

    jeromiec83223024
    jeromiec83223024
    Inspiring
    June 22, 2015

    Flash Player can't write or read from the local shared objects in the user's redirected home directory because we disallow traversing junctions (soft links for the non-Microsoft folks) in the broker process.  This behavior was disabled to address a vulnerability identified in some of John Forshaw's research into the IE broker earlier in the year.

    If you don't want to change your infrastructure, you can enable this behavior by adding the following setting to mms.cfg:

    EnableInsecureJunctionBehavior=1

    That said, you can probably gather from the name of the flag that we don't really recommend this approach, and disable this attack surface by default.  There's some risk that a network attacker could craft content that abuses fundamental issues with how Windows handles Junction Points to write to arbitrary locations.

     

    More on Junction Points can be found here:

    https://support.microsoft.com/en-us/kb/205524

    https://msdn.microsoft.com/en-us/library/windows/desktop/bb968829(v=vs.85).aspx

    If you're going to live with this attack surface, it's probably worth your time to watch James Forshaw's talk on IE sandbox escapes, which prompted these changes:

    https://www.youtube.com/watch?v=q9dnYno_Moc

    A
    Anonymous
    June 23, 2015

    Jeromie, wondering what other alternatives there might be.  We don't want (can't really) change the AppData redirection as this is a huge change in our architecture and we also don't want to take any less secure approach (EnableInsecureJunctionBehavior=1).  What other options are there?  Are there any ways to make Flash take this 'cache' to Local AppData (C:\Users\<username>\AppData\Local)? If so, we could use our profile utility to harvest this data for delivering to the user at login.

    Thanks!

    --Darin

    jeromiec83223024
    jeromiec83223024
    Inspiring
    June 23, 2015

    There's currently not a mechanism for specifying an alternate location for Flash's AppData.  In the short term, you're probably stuck with reverting to the old behavior and monitoring your central storage for anomalous activity.

    I'm not sure off the top of my head whether or not it's technically feasible to provide an alternate location because of how write restrictions in the various browser brokers work (if we need broker changes it's still possible, but would take a lot longer because of the dependencies), but it's a totally reasonable request.

    I know that this has come up in conversation internally, but I'm not sure what the current disposition is.  I don't believe that we have any feature work scheduled to support it at this time, but I'll look into it and get it in the queue for consideration.  That said, we're well into development for the Q3 release already, so the absolute best-case scenario is probably Q4 at this point.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices