Spectre / Meltdown Mitigations In response to a class of recently disclosed vulnerabilities in popular CPU hardware related to data cache timing (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), known popularly as Spectre and Meltdown, we are disabling the ‘shareable’ property of the ActionScript ByteArray class by default. Administrators can turn this feature back on using the following MMS properties: EnableInsecureByteArrayShareable Short Description: Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class. Detailed Description: EnableInsecureByteArrayShareable = [0,1] (0=false, 1=true) This setting will allow Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class. Shared ByteArrays are used to share data between threads with ActionScript “Workers.” Shared ByteArrays are an advanced feature of the ActionScript API set and not commonly used in the vast majority of published Flash content. For increased security, we recommend administrators leave this feature disabled. EnableInsecureByteArrayShareableDomain Short Description: Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class on a per-domain basis. Detailed Description: EnableInsecureByteArrayShareableDomain = domain name or IP address By default, Flash Player 30 and above will no longer allow the “shareable” property of the ActionScript ByteArray API class. The EnableInsecureByteArrayShareableDomain settings provide exceptions to that rule. Administrators can create a “white list” of approved domain names or IP addresses to which the EnableInsecureByteArrayShareable setting will apply. If the active security context is in the list of domains and IP addresses, then access to the sharable ByteArray property will be allowed. Otherwise, sharable ByteArray access will be denied. For domain names, prefixing a * wildcard is allowed. For example, *.adobe.com would allow all Flash content with the “shareable” property to run on www.adobe.com, get.adobe.com, helpx.adobe.com, and so on. Wildcards are not allowed when specifying IP addresses. For example, the following settings allow SWFs using the shareable ByteArray property to only run on servers at www.mydomain.com and 10.1.1.10: EnableInsecureByteArrayShareableDomain=www.mydomain.com EnableInsecureByteArrayShareableDomain=10.1.1.10 For domain names, prefixing a * wildcard is allowed. Example: EnableInsecureByteArrayShareableDomain=*.mydomain.com This would allow all Flash content with the “shareable” property to run on www.mydomain.com, foo.mydomain.com, and so on. Wildcards are not allowed when specifying IP addresses. EventJitterMicroseconds Setting this value to 0 disables an important mitigation for Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances. TimerJitterMicroseconds Setting this value to 0 disables an important mitigation for Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances. For information on managing the mms.cfg file, please see the Flash Player System Administrator's guide, here: http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html
... View more