July 28, 2004
Beware of the MXP?

Let me make this clear first: the following issue does not affect swfs or the Flash plugin in general - normal users are not affected at all. This is a Flash developer-only thing.

The recent update to Flash MX 2004 has not only brought us many bug fixes, it also comes with some new features under the hood. One of them is new file API for JSFL.

For those who don't know what JSFL is: with JSFL you can control the Flash IDE with Javascript. You can automate tedious tasks, draw geometric shapes via mathematics that you would never be able to paint manually, create animation effects - short: almost everything that you can do with the mouse and the keyboard. A wonderful tool. Well, now with the new File API you can also access files: read them, write them, copy them, delete them. You are not limited to the Flash folder, no you have full access to the whole system.

Enters the Advocatus Diabolis (AD): "Full file access? That's great. So what happens if I use the command FLfile.remove("file:///C:/windows")? Let's have a look what the JSAPI reference says:"

The remove method can be used to remove a file or a folder that is not read-only from the local machine. If you attempt to delete a folder that contains files or folders, they will also be deleted. If any of those files or folders are read-only, then they will not be deleted—nor the containing folder. This function accepts one argument: a file URI that specifies the location of a file or a folder that you want to delete

Me: "Okay, but of course I would never be so stupid to delete my own system folder wouldn't I?"
AD: "Not you, but maybe someone else? By the way - there is also support for wildcard file masks..."
Me: "Well. But what do I care about what other people do in their spare time? It's their harddrive after all."
AD: "So you have never downloaded any 3rd party components for Flash?"
Me: "Of course I have - hello, it's components - they cannot be harmful. It's just a few textfiles and maybe a swf. And we all know that swfs are harmless by law!"
AD: "JSFL commands are also 'just' text files..."
Me: "Whatever you say - but anyway I just download components, not JSFL commands."
AD: "That's what you think. How do you know there is not a little extra in the package?"
Me: "Extra? I don't want any extra. And after all - even if there would be a malicious command among the installed files - I would immediately recognise strange new menu items and simply not select select them."
AD: "Who says that you have to select it to run it? There are several ways to make it run as soon as you start Flash. You can even launch Flash with files that have a .jsfl suffix."
Me: "Oh really? So what can we do about it? Anything? Nothing? OH NO!!! WE ARE ALL DOOMED!!!!"
AD: "Muhaahahahaaa!";

Okay, calm down. This is all just theoretical. Why should anybody want to do this? Fortunately there are only a few lunatics in the Flash community. I just wanted to wake your awareness that the next time you blindly install an mxp from a questionable source it could hurt. Theoretically. Very theoretically.

But - let's put this back into the proper context: actually this can happen to you with any executable that you download from the web. Just choose wisely which source you can trust.

And as a little comforter: Dreamweaver has file access via JSAPI for quite a while and it looks like people have used it responsibly until now. Relax.

Posted at July 28, 2004 01:18 AM | Further reading
Comments

So, how to protect yourself? 1. As with any software, only download and install from a known or reputable source. Some kid you don't know comes on a forum offering a neat new component, be careful. 2. As the title says, beware of mxp. This will install autmatically. If installing something from soneone you don't know, get the source jsfl and/or fla, compile and install it yourself after checking it out. Another bright side of the story is that components have actually had harmful capability since last september and I haven't heard of any abuse. By harmful capability I mean that there are a number of ways JSFL can write to the disk, potentially overwriting system files, prior to the file api stuff.

Posted by: Keith Peters on July 28, 2004 03:29 AM

What Keith said..

And.. I have an extension that uses the new file I/O features of JSAPI.. It's for automating the process of importing XML into the IDE. Find it here: http://www.oddhammer.com/extensions/importXML/

and I'll provide the FLA to anybody who cares to look at it and promises not to laugh at the kludge I put out at 2AM.. heheh..

Posted by: mike lyda on July 28, 2004 05:33 AM

Agreed on the above. The Director authoring and standalone environments have had file-manipulation for a long time, and Dreamweaver extensions added file-manipulation awhile back too. I don't recall people victimizing other developers with bad extensions, but it's definitely recommended to know and trust the source of any FLA and other samples you run.

Reputation and feedback count for a lot...!

(These extensibility is in the Macromedia Flash authoring tool, not in the Macromedia Flash Player.)

jd/mm

Posted by: John Dowdell on July 28, 2004 11:05 PM

hey, im actually having trouble getting it to work.
Can anyone help, or mike can u send me the fla for that component u made.

Posted by: Ben Lupton on August 27, 2004 10:58 PM

Whant be 100% sure that mxp package which you about to install, doesn't contain any harmful stuff ?

Use MXP Lister plugin for Total Commander, it's
amazing tool that let you view .mxp package
content before you install it :)
http://tcplugs.shuriksoft.com

Posted by: max on July 7, 2005 01:20 PM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?



Site Search

Google
quasimondo.com
incubator.quasimondo.com
lectures.quasimondo.com
My Twitter Updates
Best Of Quasimondo
The Stake
Picturedisko
Islands Of Consciousness
Flickeur
Clockr
Tagnautica
Kaleidoscope
Realtime Video Color Keying
Flash 8 ColorMatrix Class
Flash 8 BitmapExporter
Marching Ants Path
Marching Ants Rectangle
Full Justified Text Component
swfImageProxy
xml2swf
Amazon Explorer [FF Trailer]
AS Shape Decoder
Voronoi Diagram
Worldmap Locator
Page Turn Interface
Google Search Widget
WACK
LOCOMA
The Candle
The Candle II
The Flash Connection
The Flash Connection II
The J.H. Lynch Mystery
The Crying Boy
Categories
Home

Concentration
Hydration
Incubation
Information
Inspiration
Manipulation
Observation
Occupation
Publication
Relevation
Transformation
Vibration
Visualization
Upcoming Events
Highly Recommended
Ralph Hauwert
Grant Skinner
André Michelle
Joa Ebert
Jer Thorp
Eugene Zatepyakin
Nicolas Barradeau
Links of Interest
Thank you!
Most Visited Entries
Optimizing Flash Based Face Detection
Page Flip: The Final Word
Flash BitmapExporter: Compress and Save Images
Automated Threshold & Edge Detection
Flash 8: ColorMatrix
Saving JPEGs or PNGs with Flash 8 Revisited
Shared Library Secrets
How to Enable MP3 Ringtones on a Sony Ericsson v800
Flash 8: Realtime Video Color Keying
Page Turn Lecture Files
Sketches, Works & Source Code
The Incubator
Quasimondo Libs
Flickr Gallery
Popular on Aviary

Lectures
Upcoming Conferences:

FITC Amsterdam 2009
Flexcamp Amsterdam 2009
FITC Toronto 2009
FFK 2009, Cologne
flashconference/fmx 2009, Stuttgart
FlashBrighton UG Meeting, Brighton
Flash on Tap 2009, Boston
Flashbelt 2009, Minneapolis
Flash At The Lake 2009, Zürich
Flash On The Beach 2009, Brighton
FITC Edmonton 2009
FITC Tokyo 2009
FITC Amsterdam 2010
Flashcamp Tokyo 2010
Flashcamp Seoul 2010
FFK 10, Cologne
FITC Toronto 2010
Flashbelt Minneapolis 2010
FITC San Francisco 2010
Flash on the Beach 2010
Decoded 2010, Munich

My Past Lectures
Contact
Contact me
Backlog
May 2010
January 2010
December 2009
October 2009
September 2009
July 2009
May 2009
March 2009
February 2009
December 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
February 2008
November 2007
October 2007
September 2007
August 2007
June 2007
May 2007
April 2007
March 2007
February 2007
December 2006
November 2006
September 2006
August 2006
July 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
In Love with
Jasmine T.
Powered by
Movable Type 2.661

© Copyright Mario Klingemann

Syndicate this site:
RSS 1.0 - RSS 2.0

Quasimondo @ flickr
Quasimondo @ LinkedIn
Quasimondo @ Twitter
Quasimondo @ Facebook
Quasimondo @ MySpace
Quasimondo is a Bright
Citizen of the TRansnational Republic
My other blog in german
Impressum


My family name is written Klingemann,
not Klingelmann, Klingeman, Klingaman, Kingemann,
Kindermann, Killingaman, Klingman, Klingmann, Klingonman
Klingemman, Cleangerman, Klingerman or Kleangerman