With Adobe Flash Player versions later than 126.96.36.199, any of the configurations below may not work as intended:
- A SWF file attempts a socket or XMLSocket connection back to its own host, without performing a loadPolicyFile call to retrieve a socket policy file.
- A SWF file attempts a socket or XMLSocket connection back to its own host, and loads a policy file that does not list its own domain within the allowed domains.
- A SWF file attempts a socket or XMLSocket connection back to any host, with an HTTP policy file granting permission.
See the Diagnosis section for instructions to determine if your site may be affected by this change.
Flash Player versions later than 188.8.131.52 change the permission requirements for socket connections, and HTTP policy files no longer authorize socket connections. Flash Player has two types of policy files:
- HTTP policy files, which are crossdomain.xml files on a server that define whether SWF files from other domains can load that server's content.
- Socket policy files, which define the ports to which Flash Player can connect using Socket or XMLSocket connections.
In earlier versions, a socket policy file, which is a policy file deployed by a socket, was not required to connect to ports greater than 1024, if:
- the domain that served the SWF file was the same as the domain of the socket connection, and
- the serving domain hosted a crossdomain.xml file.
This earlier configuration presented a risk to customers since an increasing number of critical services are served from ports greater than 1024. This change also help to mitigate the possibility of a DNS rebinding attack using Flash Player sockets to reach the victim's host. To mitigate this issue, Flash Player now requires a socket policy file for all socket connections, regardless of the destination port and the presence of a crossdomain.xml file. There is now a fixed master location for socket policy files on port 843. The policy file on this port will be able to define meta-policies that define whether or not other socket policy files are allowed on the host. By default, all socket policy files are acknowledged.
If your SWF files previously could connect to their origin host on ports greater than 1024 because there was a crossdomain.xml file, you must now have a socket policy file. The socket policy file can be served either from the master socket policy port (843) or from the same port as the socket connection.
To determine if your site is affected by this change:
Flash Player 184.108.40.206 introduced policy file logging, a new feature. The policy file log shows messages for every event relating to policy files: attempts to retrieve them, successes and failures in processing them, the fates of the requests that depend on them. A complete reference to the messages you will find in the policy file log can be found in Appendix B of the Security changes in Flash Player 9 article.
To use the policy file log:
- Install a Debug version of Flash Player 220.127.116.11 or later. You can use any type of Flash Player: ActiveX, Plug-In, or Standalone. You can get the Debug version of Flash Player from Flash Player Support Center Downloads.
- Determine the location of your mm.cfg configuration file. This is a general debugging configuration file that Debug versions of Flash Player read on startup. The mm.cfg file is located in your home directory. For example:
- Windows: C:\Documents and Settings\username
- Windows Vista: C:\Users\username
- Mac OS and Linux: /home/username
- Create mm.cfg if it does not exist, then add one or both of the following lines:
- PolicyFileLog=1 # Enables policy file logging
- PolicyFileLogAppend=1 # Optional; do not clear log at startup
- If PolicyFileLogAppend is not enabled, each new root-level SWF will clear the log file. If policyfilelogappendpolicyfilelogappend<> is enabled, the previous contents of the log file will always be kept, and the log file will grow at the end.
- Find the location where policyfiles.txt, the policy file log, will be written. It does not necessarily exist yet; Flash Player will create it the next time a SWF file is run. You can find policyfiles.txt in the following locations:
- Windows: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs
- Windows Vista: C:\Users\username[ AppData]\Roaming\Macromedia\Flash Player\Logs
- Mac OS: /Users/username/Library/Preferences/Macromedia/Flash Player/Logs (it is unconventional for a program to write log files to the Preferences directory, but that is in fact the case)
- Linux: /home/username/.macromedia/Flash_Player/Logs
Read policyfiles.txt for information about what occurred with policy files during your test run. If you see messages that aren't clear, see http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_wp.html.
To address this issue, you must create a socket policy file permitting the connection to the host. This policy file can be served either from the socket master policy location on port 843 or from the destination port of the socket connection. The socket policy file must include all domains which are allowed to connect to the socket, including itself. If the socket policy file is hosted from the master policy file location, then include meta-policies where socket policy files are allowed to be located.
The changes for socket policy files are described in detail here:
Log messages are described in detail here:
For Flash Player security information, visit the Flash Player security page at: www.adobe.com/products/flashplayer/security/.
Click the Resources for Developers tab for a collection of links to useful documents.
You can find a general description of socket policy files at: http://livedocs.adobe.com/flash/9.0/main/wwhelp/wwhimpl/common/html/wwhelp.htm? context=LiveDocs_Parts&file=00000349.html#wp145389
The changes in cross-domain and socket policy files are also described in detail within this article: