Issue

With Adobe Flash Player versions later than 9.0.115.0, any of the configurations below may not work as intended:

  • A SWF file attempts a socket or XMLSocket connection back to its own host, without performing a loadPolicyFile call to retrieve a socket policy file.
  • A SWF file attempts a socket or XMLSocket connection back to its own host, and loads a policy file that does not list its own domain within the allowed domains.
  • A SWF file attempts a socket or XMLSocket connection back to any host, with an HTTP policy file granting permission.

See the Diagnosis section for instructions to determine if your site may be affected by this change.

Reason

Flash Player versions later than 9.0.115.0 change the permission requirements for socket connections, and HTTP policy files no longer authorize socket connections. Flash Player has two types of policy files:

  • HTTP policy files, which are crossdomain.xml files on a server that define whether SWF files from other domains can load that server's content.
  • Socket policy files, which define the ports to which Flash Player can connect using Socket or XMLSocket connections.

In earlier versions, a socket policy file, which is a policy file deployed by a socket, was not required to connect to ports greater than 1024, if:

  • the domain that served the SWF file was the same as the domain of the socket connection, and
  • the serving domain hosted a crossdomain.xml file.

This earlier configuration presented a risk to customers since an increasing number of critical services are served from ports greater than 1024. This change also help to mitigate the possibility of a DNS rebinding attack using Flash Player sockets to reach the victim's host. To mitigate this issue, Flash Player now requires a socket policy file for all socket connections, regardless of the destination port and the presence of a crossdomain.xml file. There is now a fixed master location for socket policy files on port 843. The policy file on this port will be able to define meta-policies that define whether or not other socket policy files are allowed on the host. By default, all socket policy files are acknowledged.

If your SWF files previously could connect to their origin host on ports greater than 1024 because there was a crossdomain.xml file, you must now have a socket policy file. The socket policy file can be served either from the master socket policy port (843) or from the same port as the socket connection.

Diagnosis

To determine if your site is affected by this change:

Flash Player 9.0.115.0 introduced policy file logging, a new feature. The policy file log shows messages for every event relating to policy files: attempts to retrieve them, successes and failures in processing them, the fates of the requests that depend on them. A complete reference to the messages you will find in the policy file log can be found in Appendix B of the Security changes in Flash Player 9 article.

To use the policy file log:

  1. Install a Debug version of Flash Player 9.0.115.0 or later. You can use any type of Flash Player: ActiveX, Plug-In, or Standalone. You can get the Debug version of Flash Player from Flash Player Support Center Downloads.
  2. Determine the location of your mm.cfg configuration file. This is a general debugging configuration file that Debug versions of Flash Player read on startup. The mm.cfg file is located in your home directory. For example:

    • Windows: C:\Documents and Settings\username
    • Windows Vista: C:\Users\username
    • Mac OS and Linux: /home/username
  3. Create mm.cfg if it does not exist, then add one or both of the following lines:

    • PolicyFileLog=1 # Enables policy file logging
    • PolicyFileLogAppend=1 # Optional; do not clear log at startup
    • If PolicyFileLogAppend is not enabled, each new root-level SWF will clear the log file. If policyfilelogappendpolicyfilelogappend<> is enabled, the previous contents of the log file will always be kept, and the log file will grow at the end.
    If many different root-level SWF files are loaded during your testing, you will probably want to enable PolicyFileLogAppend. However, if you enable PolicyFileLogAppend, you will probably need to rename manually or delete the log file occasionally or it will become very large, and it will be difficult to determine where previous output ends and new output begins.
  4. Find the location where policyfiles.txt, the policy file log, will be written. It does not necessarily exist yet; Flash Player will create it the next time a SWF file is run. You can find policyfiles.txt in the following locations:
    • Windows: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs
    • Windows Vista: C:\Users\username[ AppData]\Roaming\Macromedia\Flash Player\Logs
    • Mac OS: /Users/username/Library/Preferences/Macromedia/Flash Player/Logs (it is unconventional for a program to write log files to the Preferences directory, but that is in fact the case)
    • Linux: /home/username/.macromedia/Flash_Player/Logs
  5. To check your setup, run any SWF file in Flash Player, then close Flash Player (or the browser).
  6. You should now see policyfiles.txt in the Logs directory. Verify that it has a recent modification time. Open it and verify that at least one message appears ("Root-level SWF loaded"). If so, policy file logging is working.
  7. Visit the SWF content you need to test. Run the content through any scenarios that will cause it to encounter policy files. Close Flash Player when you are done.
  8. Read policyfiles.txt for information about what occurred with policy files during your test run. If you see messages that aren't clear, see http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_wp.html.

  9. If you find useful information in policyfiles.txt that you need to keep for future reference, rename the log file to something other than policyfiles.txt, or move it to another directory, so that Flash Player will not overwrite the log when it runs again.

Solution

To address this issue, you must create a socket policy file permitting the connection to the host. This policy file can be served either from the socket master policy location on port 843 or from the destination port of the socket connection. The socket policy file must include all domains which are allowed to connect to the socket, including itself. If the socket policy file is hosted from the master policy file location, then include meta-policies where socket policy files are allowed to be located.

The changes for socket policy files are described in detail here:
http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_wp.html

Log messages are described in detail here:
http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_wp.html

Further reference

For Flash Player security information, visit the Flash Player security page at: www.adobe.com/products/flashplayer/security/.

Click the Resources for Developers tab for a collection of links to useful documents.

You can find a general description of socket policy files at: http://livedocs.adobe.com/flash/9.0/main/wwhelp/wwhimpl/common/html/wwhelp.htm? context=LiveDocs_Parts&file=00000349.html#wp145389

The changes in cross-domain and socket policy files are also described in detail within this article:

http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy