Comment Re:Why was the book released before the patch? (Score 1) 214
This is Erick Lee from the Adobe Secure Software Engineering Team. We can be reached at secure@adobe.com.
From the day Adobe was notified about the issue we have been working with the researcher to develop appropriate solutions.
These potential vulnerabilities are in improperly coded SWFs, and Adobe is developing a solution in an update to Flash Player that will prevent these attacks on existing vulnerable SWFs.
Flash Player bulletin released on 12/18 (http://www.adobe.com/support/
security/bulletins/apsb07-20.html)
includes a solution to a portion of these vulnerabilities and the next update in early 2008 will mitigate the remaining issues.
In the meantime, developers can mitigate cross site scripting attacks in their SWFs by coding them following guidelines for secure Flash development as described in the whitepaper at http://www.adobe.com/ devnet/flashplayer/articles/secure_swf_apps.html, and by using data validation libraries available at http://code.google.com/p/flash- validators/.
Adobe is also applying these guidelines to SWF templates that are commonly deployed, which will be available as updates in early January, and we are working with other software vendors to update their templates.
Together, these strategies provide a complete solution to the potential vulnerabilities.
Erick Lee
Manager, Secure Software Engineering
Adobe Systems
From the day Adobe was notified about the issue we have been working with the researcher to develop appropriate solutions.
These potential vulnerabilities are in improperly coded SWFs, and Adobe is developing a solution in an update to Flash Player that will prevent these attacks on existing vulnerable SWFs.
Flash Player bulletin released on 12/18 (http://www.adobe.com/support/
security/bulletins/apsb07-20.html)
includes a solution to a portion of these vulnerabilities and the next update in early 2008 will mitigate the remaining issues.
In the meantime, developers can mitigate cross site scripting attacks in their SWFs by coding them following guidelines for secure Flash development as described in the whitepaper at http://www.adobe.com/ devnet/flashplayer/articles/secure_swf_apps.html, and by using data validation libraries available at http://code.google.com/p/flash- validators/.
Adobe is also applying these guidelines to SWF templates that are commonly deployed, which will be available as updates in early January, and we are working with other software vendors to update their templates.
Together, these strategies provide a complete solution to the potential vulnerabilities.
Erick Lee
Manager, Secure Software Engineering
Adobe Systems
