Flasher Archive

[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]


Subject: Re: FLASH: [RESPONSE] Recent Flash Player Release
From: unique
Date: Tue, 25 Jan 2000 03:16:57 GMT

Eric,

Thank you for your post!

However, you leave unaddressed some serious concerns regarding this
defective player. Furthermore, I do not follow the logic behind the security
issue.

At the exact moment of 2000.01.24.17.21, her/his local time, Eric J. Wittman
<emanatflash [dot] com> put forth:

> Dear FlashR-Ls,
>
> It is with the Flash Team's deepest regret that the latest Flash Player
> releases (versions 4.0r20 Macintosh and 4.0r25 Windows)

(being distributed to the public from December 6, 1999, through this very
moment)

> contain behavior
> that has broken several sites utilizing load variables from external data
> sources.
>
> The nature of this issue is documented in TechNote #14234 on the
> Macromedia Flash Support Center.

http://www.macromedia.com/support/flash/ts/documents/ampersand.htm

> The problem discovered is that Flash
> Player is inserting an extra ampersand character when passing variables
> from a Flash movie. This effects users who are sending data to a
> server-side mechanism, such as ASP, ColdFusion or CGI.
>
> Another change made to the latest release of Flash Player is also related
> to loading external variables from a data source. Previous releases of
> Flash Player allowed variables to be loaded from a domain source outside
> of the current one the Flash movie was playing from. What this means in
> theory is that someone could load or send data from one site and send to
> another site. This behavior has been considered a "feature" by many a
> Flash developer for the ease of access to information however is
> considered a breach of security by industry security experts. It was at
> the request by several developers and industry experts that prompted this
> change in behavior.

I'm surprised that the developers and industry security experts are placated
by this meaningless gesture! Closing the barn door after the horse has been
stolen. Surely anyone with malicious intent can avail themselves of an older
plugin.

> This issue and appropriate solution is documented in
> TechNote #14213 in the Macromedia Flash Support Center.

http://www.macromedia.com/support/flash/ts/documents/loadvars_security.htm

> We are currently working overtime to resolve the extra ampersand issue. We
> anticipate a new Flash Player release with this fix within the next 1-2
> days after thorough QA has been done. To ensure all angles of this issue
> are tested, we would like to have Flash developers who are currently
> experiencing the extra ampersand problem to forward me (emanatflash [dot] com)
> their site URLs so we can incorporate them into our testing matrix.
>
> Again, we apologize for this inconvenience and are working hard to resolve
> this issue ASAP.

"Inconvenience"?

Eric, this is far more than an inconvenience! For many, it is an
income-threatening and even income-destroying situation.

That's a BIG "inconvenience"!

That which still baffles me the most is Macromedia's *insistence* upon
continuing to distribute these broken players *long* after their defects
have been known. This is something that Macromedia wants to proliferate?

Am I missing some important point here?

To summarize, two questions:

(1) Why was the 25/20 player not withdrawn from public distribution
immediately upon Macromedia's awareness that it is defective? Think it
through, and you will discover that the release of a new player will *not*
erase the existence of how-many thousands of bad ones! Are we supposed to
design around these players? You keep pumping them out, even today.

(2) How many thousands of these players have been released to the public
since December 6, 1999? How many were released since MM's awareness of the
problem?

(2a) And, more to the point, what percentage of Flash 4 Players that are out
there are of the 25/20 variety?

If you don't have answers for these questions, please advise as to
appropriate direction.

Thank you for your time.

Still not getting it,

Ken Sherwood
Professional Windmill Jouster

*zenkat: the Flash trailer*
http://www.kensherwood.com/zenkat.htm

kensherwood.com
http://www.kensherwood.com



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To unsubscribe or change your list settings go to
http://www.chinwag.com/flasher or email helpatchinwag [dot] com


Replies
  RE: FLASH: [RESPONSE] Recent Flash Playe, Connie Schachel

Replies
  FLASH: [RESPONSE] Recent Flash Player Re, Eric J. Wittman

[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]