White paper: Adobe Flash Player 9 security

Security is a key concern of Adobe. For this reason, Adobe Flash Player 9 includes a set of security rules and controls to safeguard users, website administrators, and content developers. This white paper provides an overview of the Flash Player security model. Specifically, the information in this paper applies to the security model implemented in the Flash Player 9 April 2008 Security Update (version 9,0,124,0).

Note: For information specific to the security model implemented in Flash Player 10,0,12, refer instead to the Adobe Flash Player 10 security white paper.

About this document

This white paper focuses on the security-relevant features of the Flash Player client runtime, including those introduced in earlier versions of the product. While not attempting to distinguish between versions, some references are included where changes in the security model or potential operation of applications designed and implemented in earlier versions of Flash Player may significantly differ from the target Flash Player environment described in the document.

Unless otherwise noted, this document assumes that the target platform for your development is Flash Player 9,0,124,0 running content that uses ActionScript 3.0. There are no distinctions in the runtime security model between applications created using different development tools, such as Adobe AIR, Adobe Flex Builder, the Adobe Flex SDK, or Adobe Flash.

Read the white paper:

• Flash Player 9 security (PDF, 554K)

Topics covered:

• Flash Player security environment
• Flash Player security architecture
• Permission controls
• Deployment of the Flash Player runtime
• Deployment of Flash applications

Correction in the July 21, 2008 revision

In the section on URL policy files, this sentence was corrected:

• If you run a server that serves especially sensitive documents, and you know there are no SWF files on your server other servers that need to access those documents, it is safest to create a deny-all policy file on your server.

Intended audience

This white paper is intended for the following audiences:

• Enterprise architects who are evaluating or need to better understand the security model of the Flash platform
• IT managers and system administrators who are interested in the security of Flash applications in their network environment
• Website administrators who deploy Flash applications from their sites
• Developers (including programmers and other authors) who design and publish Flash applications

This document assumes that you are familiar with Flash and ActionScript, as well as with their related terms, authoring tools, and environments.

Where to go from here

For more information about the Flash Player security, read Understanding Flash Player 9 April 2008 Security Update compatibility and Setting up a socket policy file server.