Locked

IE 11 ignores AllowListUrlPattern in mms.cfg

New Here ,
Sep 11, 2020 Sep 11, 2020

Copy link to clipboard

Copied

I'm setting 

EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AutoUpdateDisable=0
AllowListUrlPattern=http://localhost/flash/
ErrorReportingEnable=1
EnableInsecureLocalWithFileSystem=1

 

In:

  • %localappdata%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg
  • %localappdata%\Microsoft\Edge\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg
  • %windir%System32\Macromed\Flash\mms.cfg
  • %windir%\SysWOW64\Macromed\Flash\mms.cfg

 

After I change the date to 2021, I'm able to run flash form localhost in Chrome, Edge Chromium and Firefox. But I'm not able to run it in IE11 or any app that makes use of Flash.ocx. 

 

Other info:

  • Firefox and Chromium browsers use 32.0.0.433
  • IE11 uses 32.0.0.387 which is the windows embedded version of flash.
  • Running windows 10 Pro Version 10.0.18362 N/A Build 18362, experiencing the same behavior on Windows 10 Pro 10.0.19041 N/A Build 1904
  • Encodng is set to UTF-8
  • I've tried restarting the machine.

 

SO url:https://stackoverflow.com/questions/63799628/internet-explorer-ignores-flash-mms-cfg-settings

 

Anyone got any idea what I should be doing to have it running in IE11 on Win 10 Pro with the date set after 2021?

TOPICS
Browser, OS

Views

18.3K

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Employee , Oct 02, 2020 Oct 02, 2020
Sorry, I realized what was happening yesterday.  The version of IE that you're on is older than the documentation.    When we initially released this feature, we used the directive names EnableWhitelist, WhitelistPreview, WhitelistUrlPattern.  Shortly after, in relation to a company-wide engineering decision, we updated those directive names to use the more inclusive language that you see in our admin guide (EnableAllowList, AllowListPreview, AllowListUrlPattern).  I thought about documenting th...

Likes

translate

Translate

Translate
Community Beginner ,
Sep 29, 2020 Sep 29, 2020

Copy link to clipboard

Copied

Im trying to setup the mms.cfg file but Internet explorer 11 and flash player 32.0.0.387 seems to be ignoring the config as well has anyone found a resolution?

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 29, 2020 Sep 29, 2020

Copy link to clipboard

Copied

Please see the Enterprise Enablement section on page 28:

https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/l...

 

In particular, check out the stuff about troubleshooting with TraceOutputEcho.  ErrorReportingEnable is a setting exclusive to the Flash Player debugger, which does not exist on the generally available player.  The file mm.cfg is the debugger config file, whereas mms.cfg is the config file for the generally available player. Microsoft declined to make a debugger version available via their channel, and since we can't actually install a Flash Player in the required location on Windows 8 and higher, there isn't one available.  We added the ability to output errors to the JavaScript console to facilitate testing on ActiveX on Win8 and higher.

 

Just to confirm, you're running a local webserver, which serves up content over HTTP on the host "localhost"?  I'm wondering if it's actually something to do with that.  I'll have to go test it on my Windows machine tomorrow, but a lot of the URL resolution stuff is platform/browser specific.  I could see that behaving different on just ActiveX.  You might try accessing content via a local IP instead. (e.g. http://127.0.0.1/flash/)

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 30, 2020 Sep 30, 2020

Copy link to clipboard

Copied

Jeromiec83223024, 

My mms.cfg is below. i can see from procmon that the flash exe reads the file. But then just allows any website with flash to work rather than restricting to only the allowed list.

 

Also in Internet Explorer developer tools i cant see any trace output ? 

 

EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AllowListPreview=1
TraceOutputEcho=1
AutoUpdateDisable=1
AllowListUrlPattern=https://vmwareserver

 

 

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 02, 2020 Oct 02, 2020

Copy link to clipboard

Copied

We are having this exact same issue.
I have up-voted (liked) and followed this thread.
We are very interested in the solution to this issue.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 23, 2020 Dec 23, 2020

Copy link to clipboard

Copied

If you look at the Enterprise Enablement guide (pp.28) it gives you a step-by-step guide one how to troubleshoot your configuration using the AllowListPreview feature.

 

https://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

 

In this instance, you're relying on some magic.  You're specifying a hostname, and your browser is resolving it by looking at the DNS Search Path in your network configuration.  I'm not sure off the top of my head what gets passed to Flash.  I bet that the browser resolves the Fully Qualified Domain Name and passes it to Flash, so that there's a mismatch between the URL as we see it, and what you're typing in the browser's address bar.  Following the troubleshooting instructions should make this plain, and tell you what AllowListUrlPattern you need to specify. 

 

Alternatively, you could simply use the FQDN to access the URL and apply a corresponding AllowListUrlPattern.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 02, 2020 Oct 02, 2020

Copy link to clipboard

Copied

Sorry, I realized what was happening yesterday.  The version of IE that you're on is older than the documentation. 

 

When we initially released this feature, we used the directive names EnableWhitelist, WhitelistPreview, WhitelistUrlPattern.  Shortly after, in relation to a company-wide engineering decision, we updated those directive names to use the more inclusive language that you see in our admin guide (EnableAllowList, AllowListPreview, AllowListUrlPattern).  I thought about documenting those directives as deprecated, but given the intent and our proximity to Flash EOL, I felt like enshrining the old directives in the documentation for perpetuity (because this final version of the guide will live on for a loooong time in enterprise admin communities), it undermined the goal of moving towards better engineering practices around inclusivity.  My hope was that because of the narrow audience for this particular feature, and the short timeline that it would have been in-market, it wouldn't be a big deal (and the new implementation supports both the new and old directive names). 

 

On Windows 8 and higher, Microsoft distributes Flash Player via Windows Update, and their policy is to only ship security-bearing releases at this point.  Flash Player is a less useful attack vector becauase it's click-to-play in most browsers now, so there's a lot less action happening on that front.  The stars all lined up in a way that kept that disparity in the market for way longer than I had planned (and pushing out updates to our internal documentation is super hard and time-consuming for really boring reason).  Microsoft will be pushing out an update next month, which will bring that platform into parity with the others.

 

In the meantime, you can either use the older less-inclusive language, or just wait a couple weeks and your mms.cfg should work as-is. 

 

Sorry for the confusion!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 19, 2020 Nov 19, 2020

Copy link to clipboard

Copied

Hi,

I'm able to whitelist a pair of flash player and Firefox.
However, I'm unable to whitelist another webpage which has port numbers.
Can anyone advise how can I make flash player read wildcard for portnumber in whitelist url pattern?
My Landing page has port number 7000 while content resides on other ports.
Is it possible to use wildcard for port numbers or to allow all ports in this domain/subdomain automatically?

AllowlistUrlPattern=https://www.example.com/ -- didnt work
AllowlistUrlPattern=https://www.example.com:*/ -- didnt work

Instead of coding as below, can anyone suggest a wildcard for ports?
AllowlistUrlPattern=https://www.example.com:7000/
AllowlistUrlPattern=https://www.example.com:7600/

Thanks,
Aditya

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 22, 2020 Dec 22, 2020

Copy link to clipboard

Copied

Did you find a solution ?

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 22, 2020 Dec 22, 2020

Copy link to clipboard

Copied

we are using chrome for all our flash sites.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 02, 2021 Jan 02, 2021

Copy link to clipboard

Copied

Yes, by using AllowListRootMovieOnly paramter, we were able to whitelist the ports different ports on the same webdomain.

This paramter applies the allowlist restrictions to parent URL only. Since, we're confident that the subsequent requests made from parent URL are secure and to the desired application only, this workaround allowed us to whitelist a sub-domain and range of ports being accessed from this SWF

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 23, 2020 Dec 23, 2020

Copy link to clipboard

Copied

You can't wildcard non-standard HTTP(S) ports.  This is by design.  You'll need to add an entry allowing each host and port combination.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 12, 2021 Jan 12, 2021

Copy link to clipboard

Copied

You cannot use a wildcard for ports. 

 

Since Flash Player has the ability to make requests to arbitrary sockets, it's possible to build a port scanner in ActionScript, which would run from client machines, behind your firewall.  Requiring you to define individual entries for ports is annoying depending on the number of ports you're using, but for organizations running an unmaintained Flash Player after EOL, we believe it's important to help minimize the potential attack surface by default.  It's too tempting to slap in a wildcard without thinking about (or simply knowing about) all of the potential consequences (like unnecessarily exposing ports to admin UIs, etc). 

 

Your workaround using AllowListRootMovieOnly will work fine, as long as you're confident that your application will only load trusted, controlled content.  It's off by default, because there is the potential that a parent SWF could load an untrusted child SWF supplied by an attacker in some scenarios.  Imagine a Flash-based tech support portal that allows customer uploads.  As long as you're confident that your application will not encounter or load untrusted content, this is a convenient way to simplify the required configuration. 

 

For scenarios where you're not confident that this is guaranteed, we'd strongly recommend leaving this flag off, and using AllowListPreview to discover the full list of URIs that need to be allowed, and allowing them surgically.

 

We also strongly recommend that enterprises that need to continue to use Flash Player license a current, maintained copy of Flash Player from HARMAN.  Those versions continue to get the maintenance fixes and security updates that will minimize your risk moving forward.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 19, 2021 Jan 19, 2021

Copy link to clipboard

Copied

I've been trying for two days to solve my "Flash EOL" issue.

I have an HP Photosmart B109 printer that relies on a software called HP Solution Center which in turn requires Flash.

The software makes use - to my knowledge - of the ActiveX Flash Player embedded in Internet Explorer 11 (running on Windows 10 x64) to serve its Flash contents.

After january 12 the application stopped working as expected, now it only displays a Flash logo in place of its contents.

If I roll back the system date to january 11 the application still works which means that the ActiveX Flash Player is still operational and the kill switch purely relies on the system date.

So I've tried to use the mms.cfg file to work around the issue since HP has no intentions to update the software and has made that clear on their website.

I've tried everything I could think of, but I still can't make the application work.

I've made sure, using Process Monitor, that the application executable does access the mms.cfg file (in %windir%\SysWOW64\Macromed\Flash\mms.cfg) when launched, and I'm also sure that it is actually trying to honor it (proof of this is that if I leave the file in place and roll back the date to january 11 the application does not work, which implies that all the directives in the file are working *except* the whitelist). My take after all these attempts is that the AllowListUrlPattern value is not correct for this application, so there is no match and the application is disallowed. I cannot debug since we are not running in a normal IE session so I have no console.

I've tried to enter the full path to the application, enclose it in "" or '' (since it contains spaces), use wildcards, forward slashes and backslashes, pretty much any syntax I could think of, and even tried to just enter "AllowListUrlPattern=file:*" which should allow every local path... nothing worked.

Please, is there anyone, maybe an Adobe Employee, who can help me? Don't really want to throw away a perfectly good printer... and by googling the issue I found out that there are many, many people in this same situation.

Thank you in advance... please let me believe in miracles once again!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 19, 2021 Jan 19, 2021

Copy link to clipboard

Copied

Hi FGSysadmin,

 

Wildcard (*) works for domain name ex- http or https

However, it doesn;t work for situation as below where would like to use wildcard for different web urls with same parent host as below:

https://abc.com/a1

https://abc.com/b2

https://abc.com/c3

 

i.e. https://abc.com/* - doesnt works

correct usage should be - https://abc.com/

 

Below is the snapshot of mms.cfg, I'm using for Firefox:

SilentAutoUpdateEnable=0
AutoUpdateDisable=1
EOLUninstallDisable=1
EnableAllowlist=1
AllowlistUrlPattern=https://abc.com/

 

Please also ensure, you have not enabled allowlistpreview (which is used only for testing with trace)

 

Cheers!

Aditya

 

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 20, 2021 Jan 20, 2021

Copy link to clipboard

Copied

Try to install just the ActiveX version to solve the problem with HP Solution Center.
 

How to install Adobe Flash Player (old version):

 

Download the last version of Adobe Flash Player without the killer switch that is the version 32.0.0.371

https://archive.org/download/flashplayerarchive/pub/flashplayer/installers/archive/fp_32.0.0.371_arc...

 

Install the files:

"flashplayer32_0r0_371_win.exe" (NPAPI) Mozilla Firefox

"flashplayer32_0r0_371_winax.exe" (ActiveX) IE

"flashplayer32_0r0_371_winpep.exe" (PPAPI) Google Chrome and Edge

 

To install the ActiveX version ("flashplayer32_0r0_371_winax.exe") needed in IE or in others Flash Based Programs like HP Solution Center you must run this installation in "Compatibility mode" as "Windows 7" selected.

 

After this its possible to run Flash Player in IE, Google Chrome [versions under 88.0.4324.96 (2021-01-19), because it was removed the support of Adobe Flash Player] and Mozilla Firefox.

 

If it’s not working on Google Chrome:

 

If are you using a Windows 64-bit:

Copy the file "pepflashplayer64_32_0_0_371.dll" located at the dir "C:\Windows\System32\Macromed\Flash"

Or if you are using a Windows 32-bit:  

Copy the file "pepflashplayer32_32_0_0_371.dll" located at the dir "C:\Windows\SysWOW64\Macromed\Flash"

 

Paste to this dir:

"C:\Users\YOUR_USER\AppData\Local\Google\Chrome\User Data\PepperFlash\32.0.0.465"

* (Change YOUR_USER to your current user)

 

Close any window of Google Chrome.

 

Delete the current pepflashplayer.dll located at the dir "C:\Users\YOUR_USER\AppData\Local\Google\Chrome\User Data\PepperFlash\32.0.0.465"

 

Rename the pepflashplayer64_32_0_0_371.dll or pepflashplayer32_32_0_0_371.dll located at the dir "C:\Users\YOUR_USER\AppData\Local\Google\Chrome\User Data\PepperFlash\32.0.0.465" to pepflashplayer.dll

 

To make it work on Microsoft Edge:

 

If are you using a Windows 64-bit:

Copy the file "pepflashplayer64_32_0_0_371.dll" located at the dir "C:\Windows\System32\Macromed\Flash"

Or if you are using a Windows 32-bit:  

Copy the file "pepflashplayer32_32_0_0_371.dll" located at the dir "C:\Windows\SysWOW64\Macromed\Flash"

 

Paste to this dir: "C:\Users\YOUR_USER\AppData\Local\Microsoft\Edge\User Data\PepperFlash\32.0.0.465"

* (Change YOUR_USER to your current user)

 

Close any window of Microsoft Edge.

 

Delete the current pepflashplayer.dll located at the dir "C:\Users\YOUR_USER\AppData\Local\Microsoft\Edge\User Data\PepperFlash\32.0.0.465"

 

Rename the pepflashplayer64_32_0_0_371.dll or pepflashplayer32_32_0_0_371.dll located at the dir "C:\Users\YOUR_USER\AppData\Local\Microsoft\Edge\User Data\PepperFlash\32.0.0.465" to pepflashplayer.dll

 

And this will make Flash Player work again on Microsoft Edge.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 20, 2021 Jan 20, 2021

Copy link to clipboard

Copied

Adytia5E76: it's not a web site accessed directly via browser, but a local application which uses the IE embedded Flash ActiveX control to display its contents, so I am not in a position to whitelist an URL.

For the same reason I don't think I can follow FLASH32.0.0.371's advice: I already tried to reinstall a standalone ActiveX Flash Player but Windows is preventing me to do it because the version embedded in IE11 is more recent.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines