• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0

Videos fail on Windows 7 since Flash Player 30.0.0.113 installed

Community Beginner ,
Jun 19, 2018 Jun 19, 2018

Copy link to clipboard

Copied

Zero Day patch deployed has affected some websites,

for example 

https://web.microsoftstream.com/browse?view=channel.

Videos will not launch in IE11 with FP 30.0.0.113 installed.
Works fine in Chrome on same machine and works in Edge on Win10.

If we use earlier version of Flash Player (v29) then videos work. But then we are vulnerable to attacks in the wild.

This needs to be fixed.

Please advise

Views

2.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Aug 16, 2018 Aug 16, 2018

Tuesday's release (in tandem with an update to Microsoft's video player) removes the dependency on the functionality that was impacted, and gets video playback working again.  You should no longer need the mms.cfg flags previously recommended as a workaround.  Simply update to the latest Flash Player.  If you deployed those flags earlier, we'd recommend that you remove them to re-enable those security mitigations.

Votes

Translate

Translate
Adobe Employee ,
Jun 19, 2018 Jun 19, 2018

Copy link to clipboard

Copied

None of the videos that I can see on Microsoft Stream are Flash.  They're HTML5 video on both Chrome and IE11.

If you right-click on an affected video, do you see "About Flash Player" in the context menu?  If so, can you send me a link to one?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 20, 2018 Jun 20, 2018

Copy link to clipboard

Copied

No. There is no "About Adobe Flash Player 30.0.0.113" in the context menu but after the installation of the Adobe Flash Player zero day patch to upgrade to version 30.0.0.113 these videos have become blocked in IE11 on Win7

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 20, 2018 Jun 20, 2018

Copy link to clipboard

Copied

Okay, I was able to reproduce this and track this down to a security-related change in Flash Player.  It was working fine for me in IE on Win10 as well, but I looked at Win7 today and it was failing.

This is related to a proactive mitigation for Spectre-style attacks against the CPU.

You can add one of the following directives to mms.cfg to disable this mitigation. 

EnableInsecureByteArrayShareable=1

EnableInsecureByteArrayShareableDomain=*.azureedge.net

See page 54 of the Flash Player System Administrator's Guide for additional details:

https://wwwimages2.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guid...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 27, 2018 Jun 27, 2018

Copy link to clipboard

Copied

Thanks for the possible resolution.

My questions here are as follows:

  • Why has Adobe done this?
  • Why were we not informed of the side effects of the deployment?
  • Is this something that needs to be done with every future deployment?
  • Will adobe fix this so we do not have to manually do this ourselves each month?

Really appreciate your assistance but more interested in the lack of assistance or provision of information by Adobe.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 27, 2018 Jun 27, 2018

Copy link to clipboard

Copied

This particular change was a proactive mitigation for Spectre-style attacks against Intel CPUs.  We rarely make the decision to wholesale break functionality, but we also frequently have to make the tough calls between multiple terrible choices.  When there's an elegant or transparent change that can be made, we're always going to go for that.  

We don't pre-announce security changes, because we can see from the data that attackers see and respond to any pre-announcements that we make.  While we'd love to be able to pre-communicate changes to the development community, the reality of the modern security landscape is such that we don't have that luxury.

If you have mission critical use cases that rely on Flash Player, we'd recommend that you participate in our beta program.  We publish weekly builds, and we'd strongly recommend testing your critical use-cases with them.  We watch feedback carefully, and do our best to make sure that we're not introducing new problems in the field.  You can find details at https://www.adobe.com/go/flashplayerbeta

As you can imagine, earlier feedback is better.  We release on 4-week cycles, and we have much more flexibility at the beginning of a release than we do at the end.  It's probably worth mentioning that while we have several million clients participating in the beta, nobody reported this particular issue until after it shipped.

In terms of this specific issue, it's important to point out that Flash Player is *not* a video player.  You can build a video player on top of it.  In this instance, the video player being used in this context uses Shared ByteArrays.  It's a clever technique, but there are several other ways to accomplish what they're doing that aren't impacted.

My understanding is that we've provided guidance to the group that maintains that video player on how to remove this dependency; however, they're far downstream from us, and I have no insight into when they would update the video player, or when those changes would get published on Microsoft's servers.

We're also not planning to re-enable Shared ByteArrays.  They're off by default, and that's the right disposition under the circumstances.  If the research or ecosystem changes in a way that contraindicates our mitigation, we might consider changing the default in the future, but I'm not seeing any evidence of an impending change at this time.

Also, to be clear, this isn't because the feature itself is inherently insecure.  This is about Flash Player being a responsible actor in the context of the broader ecosystem.  We don't get to just think about Flash Player and ActionScript.  We have to consider the interplay between Flash Player, ActionScript, JavaScript and the underlying browser, OS and hardware (across Mac, Windows, Linux and all of the major browsers).

Because we load untrusted content (ads, etc.) in your browser, we're always worried about the scenario where a malicious ad gets embedded on an otherwise trustworthy site.  In scenarios like this, the underlying vulnerability isn't ours, but an attacker can abuse legitimate functionality to theoretically attack a vulnerability elsewhere in the ecosystem.  The responsible choice in that instance is to modify or disable that functionality to protect the larger ecosystem.  In that vein, our changes parallel (and technically, are a little more conservative) similar changes made to equivalent JavaScript functionality shipped by all of the major browser vendors.

Whether or not you need to "fix this" each month is really driven by how you deploy Flash Player.  It's common for enterprise organizations to deploy a custom mms.cfg (and there might be some other configuration options that you might find interesting, depending on your organization's needs and paranoia level).

You can find details on the various deployment mechanisms and configuration flags here:

Adobe Flash Player Administration Guide for Flash Player | Adobe Developer Connection

You *will* need to continue to deploy an mms.cfg file with these flag(s) for as long as you want Shared ByteArrays in Flash Player to remain enabled.  It will be up to you to determine when that functionality is no longer needed and remove the flag or delete the custom mms.cfg that you've deployed.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 27, 2018 Jun 27, 2018

Copy link to clipboard

Copied

Thank you for a detailed and comprehensive response to my questions above. I do understand the many security aspects that have to be addressed and managed these days. My apologies if I came across a bit strong earlier. I guess we may have to manage this going forward. Please note we raised this with Microsoft as well and are hoping that they will address the issues on their site(s). I think we can close this conversation as you provided all the answers.

Many thanks,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 27, 2018 Jun 27, 2018

Copy link to clipboard

Copied

No problem.  We don't like we stuff breaks either, and we totally get the frustration.

Flash Player lives in an incredibly complex problem space that isn't necessarily obvious from the outside.  I'm happy to at least try and explain why we make decisions when they're causing people grief.  If you would have asked me a few months about about whether or not Shared ByteArrays had anything to do with encrypted video playback, I would have told you that it was super unlikely.

Trying to extrapolate what people are doing with a fundamental set of APIs is a little like trying to see into the future.  You're always going to be surprised.

The best we can really do under the circumstances is to empower people with controls that let them manage any unexpected fallout for mission-critical uses, while minimizing the attack surface across the broader population.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 16, 2018 Aug 16, 2018

Copy link to clipboard

Copied

Tuesday's release (in tandem with an update to Microsoft's video player) removes the dependency on the functionality that was impacted, and gets video playback working again.  You should no longer need the mms.cfg flags previously recommended as a workaround.  Simply update to the latest Flash Player.  If you deployed those flags earlier, we'd recommend that you remove them to re-enable those security mitigations.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 10, 2018 Sep 10, 2018

Copy link to clipboard

Copied

Hello,

What update to Microsoft's video player are you talking about ?

I've flash player 30.0.0.154 installed and the Windows 7 August 2018 update roll-up installed (KB4343900) but the issue still occures.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 10, 2018 Sep 10, 2018

Copy link to clipboard

Copied

According to Microsoft, the original issue is resolved.  We've confirmed the same.

It sounds like maybe you're experiencing something distinct. 

What happens if you clear your browser cache?

If that doesn't help, point me to a representative link.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 10, 2018 Sep 10, 2018

Copy link to clipboard

Copied

Hello,

We tested on several computers and the issue is the same.

The issue occurs on the folowing site but you need an account to connect :https://customers.oase-office.eu

I've aded the following lines in the mms.cfg and the video are playing without issue now.

EnableInsecureByteArrayShareable=1

EnableInsecureByteArrayShareableDomain=*.oase-office.eu

Seems to be very similar with what is described above.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 14, 2018 Sep 14, 2018

Copy link to clipboard

Copied

Hello,

A test account was sent to jeromiec83223024

Waiting for results ...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 14, 2018 Sep 14, 2018

Copy link to clipboard

Copied

The site you provided embeds a specific, old version of Azure Media Player (1.8.0). 

The change that solves this issue is in Azure Media Player 2.1.9.  You'll probably want to research best practice for embedding their player in a way that ensures that you're using the latest updates, and then your content accordingly.

Here's their changelist:

http://amp.azure.net/libs/amp/latest/docs/changelog.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 16, 2018 Sep 16, 2018

Copy link to clipboard

Copied

LATEST

Hello,

Many thanks for this answer. We will get in touch with the owner of the site.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines