Skip to main content
M
MariuszLew
Participant
August 2, 2013
Answered

Is Flash crossdomain.xml attack still possible?

  • August 2, 2013
  • 1 reply
  • 969 views

In my company we have some security issues related to code injection on our websites (XSS).

I would like to know whether an attack simiar to http://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityPolicyAttack is still possible.

I've got a few questions related to this issue:

1. Are cross-domain policy files (crossdomain.xml) still parsed forgivingly by Flash, or was there more strict appoach implemented since publication of the article?

2. How can I tell whether a policy file is valid or not, especially if it is an injected  xml or html file or malformed image file?

3. Are HTTP headers important when Flash Player checks whether downloaded cross-domain policy files are valid?

Thank you in advance,

Mariusz Lewandowski

This topic has been closed for replies.
Correct answer jeromiec83223024

Hi Mariusz,

The information in the article you referenced is really, really old.  While the article was posted in 2011, the issues described around policy file strictness were fixed back around 2007/2008.  We progressively rolled out a number of changes to address all of the concerns between Flash Player 9 and Flash Player 10.

There's a good overview of the changes here:

http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html

A comprehensive guide on using crossdomain policy files securely can be found in the Flash Player 10 Security Whitepaper, here:

http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html

Finally, the Adobe Secure Software Engineering Team (ASSET) published a guide on securely deploying policy files that you might find helpful:

http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html

Please let me know if you have additional questions or concerns.

Thanks,
Jeromie Clark

Quality Engineering Manager - Flash Runtime Security

1 reply

M
MariuszLewAuthor
Participant
August 8, 2013

Where can I find any information related to this issues? I was searching the adobe.com site and I am still being redirected to this forum. Is there an option to contact support directly?

jeromiec83223024
jeromiec83223024Correct answer
Inspiring
August 8, 2013

Hi Mariusz,

The information in the article you referenced is really, really old.  While the article was posted in 2011, the issues described around policy file strictness were fixed back around 2007/2008.  We progressively rolled out a number of changes to address all of the concerns between Flash Player 9 and Flash Player 10.

There's a good overview of the changes here:

http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html

A comprehensive guide on using crossdomain policy files securely can be found in the Flash Player 10 Security Whitepaper, here:

http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html

Finally, the Adobe Secure Software Engineering Team (ASSET) published a guide on securely deploying policy files that you might find helpful:

http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html

Please let me know if you have additional questions or concerns.

Thanks,
Jeromie Clark

Quality Engineering Manager - Flash Runtime Security

jeromiec83223024
jeromiec83223024
Inspiring
August 12, 2013

Here's another good article on cross-domain policy and the issues they're intended to resolve:

http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices