The flensedCore, CheckPlayer, and flXHR projects have all undergone significant reworkings to address various bugs and improve performance and functionality. They have been consolidated together into a 1.0 release candidate, available here. This release is considered stable, but not production ready yet (though it’s very close!). Please test it at your convenience and give any feedback you may have before we declare a full production 1.0 release.
New alpha releases of flensedCore, CheckPlayer, and flXHR, which address a number of bugs (some big, mostly small), have officially been released. The biggest of the bugs relate to flXHR and processing of either improperly escaped text responses, or large text/binary responses — both of which flXHR now properly handles.
All users of CheckPlayer or flXHR are encouraged to upgrade immediately.
[Oct 8, 2008 -- Update]: flXHR has had several other important bugs fixed since this blog post. The new current version is v0.6-alpha7.
In what should be a wake-up call to all web-dev authors who create (or use) Flash content on their sites, Jens Brynildsen of FlashMagazine writes about how a well-known Flash security hole was just exploited by ads placed on the MSN (Norweigan) site, quite possibly affecting/infecting tens of thousands of their users.
If you haven’t already, PLEASE update to the latest (9.0.124) plugin, right now! Also, help Jens’ article get some love by digg’ing it, please. We’ve got to get the word out!
NOTE: This security bug has been known and exposed for months now, and is *not* the same as the new security hole I found and wrote about last week. That one, unfortunately, remains unaddressed by Adobe so far.
As I mention in the first comment on that digg posting, for quite a while now, libraries like SWFObject and our very own CheckPlayer have exposed Adobe’s “ExpressInstall” functionality, which is a drop-dead simple way for users to be prompted to update their Flash Player plugin automatically, unobtrusively, inline in the browser whenever they visit a site with Flash content (even ads!).
If web authors would realize the importance of keeping users’ systems up to date and secure, and would simply use libraries and features like “ExpressInstall” to update users’ plugins as they visit their site, I think there’d be much less chance that hackers and malicious folks will be able to wide-spread take advantage of such vulnerabilities.
This call is *especially* true for the big, high traffic sites, who have probably the best possible chance of getting updates out to the public. If Yahoo, MSN, YouTube, Flickr, etc would use the “ExpressInstall” feature on their flash content, and specify the latest secure version (such as “9.0.124″), then millions of users would be updated very quickly, and vulnerabilities like this would die very quickly too!
I also think Adobe could do a better job of getting this same call-to-action out, for the general web-dev authoring community. We all have to take responsibility in helping keep the web as safe and secure as it can be for the technologies we use to present content to users.