July 28, 2004
Beware of the MXP?

Let me make this clear first: the following issue does not affect swfs or the Flash plugin in general - normal users are not affected at all. This is a Flash developer-only thing.

The recent update to Flash MX 2004 has not only brought us many bug fixes, it also comes with some new features under the hood. One of them is new file API for JSFL.

For those who don't know what JSFL is: with JSFL you can control the Flash IDE with Javascript. You can automate tedious tasks, draw geometric shapes via mathematics that you would never be able to paint manually, create animation effects - short: almost everything that you can do with the mouse and the keyboard. A wonderful tool. Well, now with the new File API you can also access files: read them, write them, copy them, delete them. You are not limited to the Flash folder, no you have full access to the whole system.

Enters the Advocatus Diabolis (AD): "Full file access? That's great. So what happens if I use the command FLfile.remove("file:///C:/windows")? Let's have a look what the JSAPI reference says:"

The remove method can be used to remove a file or a folder that is not read-only from the local machine. If you attempt to delete a folder that contains files or folders, they will also be deleted. If any of those files or folders are read-only, then they will not be deleted—nor the containing folder. This function accepts one argument: a file URI that specifies the location of a file or a folder that you want to delete

Me: "Okay, but of course I would never be so stupid to delete my own system folder wouldn't I?"
AD: "Not you, but maybe someone else? By the way - there is also support for wildcard file masks..."
Me: "Well. But what do I care about what other people do in their spare time? It's their harddrive after all."
AD: "So you have never downloaded any 3rd party components for Flash?"
Me: "Of course I have - hello, it's components - they cannot be harmful. It's just a few textfiles and maybe a swf. And we all know that swfs are harmless by law!"
AD: "JSFL commands are also 'just' text files..."
Me: "Whatever you say - but anyway I just download components, not JSFL commands."
AD: "That's what you think. How do you know there is not a little extra in the package?"
Me: "Extra? I don't want any extra. And after all - even if there would be a malicious command among the installed files - I would immediately recognise strange new menu items and simply not select select them."
AD: "Who says that you have to select it to run it? There are several ways to make it run as soon as you start Flash. You can even launch Flash with files that have a .jsfl suffix."
Me: "Oh really? So what can we do about it? Anything? Nothing? OH NO!!! WE ARE ALL DOOMED!!!!"
AD: "Muhaahahahaaa!";

Okay, calm down. This is all just theoretical. Why should anybody want to do this? Fortunately there are only a few lunatics in the Flash community. I just wanted to wake your awareness that the next time you blindly install an mxp from a questionable source it could hurt. Theoretically. Very theoretically.

But - let's put this back into the proper context: actually this can happen to you with any executable that you download from the web. Just choose wisely which source you can trust.

And as a little comforter: Dreamweaver has file access via JSAPI for quite a while and it looks like people have used it responsibly until now. Relax.

Posted at July 28, 2004 01:18 AM | Further reading
Comments

So, how to protect yourself? 1. As with any software, only download and install from a known or reputable source. Some kid you don't know comes on a forum offering a neat new component, be careful. 2. As the title says, beware of mxp. This will install autmatically. If installing something from soneone you don't know, get the source jsfl and/or fla, compile and install it yourself after checking it out. Another bright side of the story is that components have actually had harmful capability since last september and I haven't heard of any abuse. By harmful capability I mean that there are a number of ways JSFL can write to the disk, potentially overwriting system files, prior to the file api stuff.

Posted by: Keith Peters on July 28, 2004 03:29 AM

What Keith said..

And.. I have an extension that uses the new file I/O features of JSAPI.. It's for automating the process of importing XML into the IDE. Find it here: http://www.oddhammer.com/extensions/importXML/

and I'll provide the FLA to anybody who cares to look at it and promises not to laugh at the kludge I put out at 2AM.. heheh..

Posted by: mike lyda on July 28, 2004 05:33 AM

Agreed on the above. The Director authoring and standalone environments have had file-manipulation for a long time, and Dreamweaver extensions added file-manipulation awhile back too. I don't recall people victimizing other developers with bad extensions, but it's definitely recommended to know and trust the source of any FLA and other samples you run.

Reputation and feedback count for a lot...!

(These extensibility is in the Macromedia Flash authoring tool, not in the Macromedia Flash Player.)

jd/mm

Posted by: John Dowdell on July 28, 2004 11:05 PM

hey, im actually having trouble getting it to work.
Can anyone help, or mike can u send me the fla for that component u made.

Posted by: Ben Lupton on August 27, 2004 10:58 PM

Whant be 100% sure that mxp package which you about to install, doesn't contain any harmful stuff ?

Use MXP Lister plugin for Total Commander, it's
amazing tool that let you view .mxp package
content before you install it :)
http://tcplugs.shuriksoft.com

Posted by: max on July 7, 2005 01:20 PM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?



Thank you!

Most Visited Entries
Sketches, Works & Source Code
Lectures
Contact
Backlog
In Love with
Powered by
Movable Type 2.661

© Copyright Mario Klingemann

Syndicate this site:
RSS 1.0 - RSS 2.0

Quasimondo @ flickr
Quasimondo @ LinkedIn
Quasimondo @ Twitter
Quasimondo @ Facebook
Quasimondo @ MySpace
Quasimondo is a Bright
Citizen of the TRansnational Republic
My other blog in german
Impressum


My family name is written Klingemann,
not Klingelmann, Klingeman, Klingaman, Kingemann,
Kindermann, Killingaman, Klingman, Klingmann, Klingonman
Klingemman, Cleangerman, Klingerman or Kleangerman

profile for Quasimondo at Stack Overflow, Q&A for professional and enthusiast programmers