Let me make this clear first: the following issue does not affect swfs or the Flash plugin in general - normal users are not affected at all. This is a Flash developer-only thing.
The recent update to Flash MX 2004 has not only brought us many bug fixes, it also comes with some new features under the hood. One of them is new file API for JSFL.
Enters the Advocatus Diabolis (AD): "Full file access? That's great. So what happens if I use the command FLfile.remove("file:///C:/windows")? Let's have a look what the JSAPI reference says:"
The remove method can be used to remove a file or a folder that is not read-only from the local machine. If you attempt to delete a folder that contains files or folders, they will also be deleted. If any of those files or folders are read-only, then they will not be deleted—nor the containing folder. This function accepts one argument: a file URI that specifies the location of a file or a folder that you want to delete
Me: "Okay, but of course I would never be so stupid to delete my own system folder wouldn't I?"
AD: "Not you, but maybe someone else? By the way - there is also support for wildcard file masks..."
Me: "Well. But what do I care about what other people do in their spare time? It's their harddrive after all."
AD: "So you have never downloaded any 3rd party components for Flash?"
Me: "Of course I have - hello, it's components - they cannot be harmful. It's just a few textfiles and maybe a swf. And we all know that swfs are harmless by law!"
AD: "JSFL commands are also 'just' text files..."
Me: "Whatever you say - but anyway I just download components, not JSFL commands."
AD: "That's what you think. How do you know there is not a little extra in the package?"
Me: "Extra? I don't want any extra. And after all - even if there would be a malicious command among the installed files - I would immediately recognise strange new menu items and simply not select select them."
AD: "Who says that you have to select it to run it? There are several ways to make it run as soon as you start Flash. You can even launch Flash with files that have a .jsfl suffix."
Me: "Oh really? So what can we do about it? Anything? Nothing? OH NO!!! WE ARE ALL DOOMED!!!!"
Okay, calm down. This is all just theoretical. Why should anybody want to do this? Fortunately there are only a few lunatics in the Flash community. I just wanted to wake your awareness that the next time you blindly install an mxp from a questionable source it could hurt. Theoretically. Very theoretically.
But - let's put this back into the proper context: actually this can happen to you with any executable that you download from the web. Just choose wisely which source you can trust.
And as a little comforter: Dreamweaver has file access via JSAPI for quite a while and it looks like people have used it responsibly until now. Relax.Posted at July 28, 2004 01:18 AM | Further reading