Wednesday, December 21, 2005

Macromedia Contacted

I contacted Macromedia today about the minor Cross Site Denial of Service in Flash Player today.

I hope that they at least respond to my musings about the vulnerability.

We were tracking down a problem at work when we first spotted this vulnerability. We have a template where a authorized distributor for the company can call in to leave a message on a personalized site. They had a long message (59 seconds). The template they chose also had another Flash animation with audio in it. Because the other animation was composed of several movies the developer decided to call stopAllSound() to end the sound loop. When the audio of the shorter animation stopped the long audio in the other movie stopped also.

I then decided to see if the problem persisted between websites and in different browser windows.

If this ActionScript function call can affect other movies in other browser windows from other websites, what other ActionScript function calls can affect other movies in other browser windows from other websites? Unfortunately I can't test this because I do not have a licensed copy of flash to do so.

I just hope that no financial institution has decided to go with an all Flash website for banking transactions.