Adobe is issuing an update to Flash Player 9 that it hopes will prevent Flash-based Web applications being used to launch attacks against consumers but the update may also stop Flash apps working if developers don’t heed Adobe’s recommendations.
The April update addresses two security flaws in Adobe Flash 9, relating to cross-site scripting (XSS) and DNS rebinding attacks — common techniques used to attack computer systems by exploiting flaws in Web applications.
The update focuses on features in Adobe used by Web developers to communicate with third party servers. Those likely to be affected will be using sockets or XMLSockets; or addRequestHeader or URLRequest.requestHeaders in a network API to access content from sites outside their own domain.
If a site provides access to content on remote domains as a Web service provider, or if it has Flash content in pre-Flash 8 format that communicates with the hosting HTML, then the site could be affected. The update could also impact a site if it uses javascript to communicate outside of a Flash SWF. In all cases, Adobe advises following its recommendations to avoid problems.
Adobe says that the April 2008 Flash Player update will help defend against malicious HTTP headers sent from other domains by performing a cross-domain policy file check before allowing SWFs to send headers to another domain.
vivek