30 July 2009
Note: The following article is intended for developers only. Customers who are experiencing Adobe Flash Player installation issues should begin troubleshooting in the Flash Player Support Center.
The Adobe Flash Player 10.0.32 Security Update addresses the issues described in Security Bulletin APSB09-10. The latest Flash Player update is available from the Flash Player Download Center. Adobe recommends installing all security updates as soon as possible.
Note: The information in this article also applies to Adobe AIR 1.5.2. For Flash Player 10.0.32, there are no security model changes that should affect any of your existing content.
Minimizing the impact of security changes
Backwards compatibility has been a hallmark of the success of Flash Player, as has been our responsiveness to security issues that arise from time to time. We try to balance these two goals as carefully as possible. In every security release, we strive to avoid any impact on existing content.
When content changes are unavoidable to respond to a security issue, our first goal is to try to design the fix in a way that can be managed without having to recompile a SWF. We look for solutions that we can affect through changes to the HTML, cross-domain policy files, or server configuration. Only when this is not possible do we make the difficult decision to implement a solution that requires a change to the SWF.
We take compatibility bugs seriously, so if you do experience any change in the behavior of your SWFs after installing Flash Player 10.0.32, please contact Adobe by filing a bug in our public Flash Player bug and issue management system. This is the best and fastest way to have the issue looked at by the Flash Player team. For more information, read Introducing the Flash Player bug and issue management system.
Security-related enhancements in this release
Adobe Flash Player 10.0.32 offers some security related enhancements. These introduce new abilities that were previously unavailable or restricted by security rules. Please review the following security-related changes made in Flash Player 10.0.32.
A new LocalConnection property for both ActionScript 2 and ActionScript 3, named
isPerUser, has been added that can be used to control the behavior of a LocalConnection's communication channel when Flash Player is running on Mac OS X.
Prior to Flash Player version 10.0.32, LocalConnection under OS X used a global communication channel, meaning that there was a single shared LocalConnection namespace for all users on the computer. This would allow users to send or receive LocalConnection callbacks to or from another user on the computer.
Starting with version 10.0.32, Flash Player now provides the
isPerUserproperty to limit LocalConnection objects to the current user. Setting
truewill cause LocalConnection on Mac OS X to work the same way it currently does on Windows and Linux. However, to avoid backwards breakage of content, the default value of
isPerUseris set to
false. Please note that on all non-Mac platforms, LocalConnection objects are always scoped to the user, even if
isPerUseris set to
For more information on the
isPerUserproperty, please see the following Flash Player TechNote: New LocalConnection API for both ActionScript 2 and ActionScript 3.
In Flash Player versions prior to 10.0.32, when running in Protected Mode in Internet Explorer, files could be saved only to the user's desktop when using FileReference.save. In Flash Player 10.0.32 and later, this restriction has been lifted. When saving a file using FileReference.save, users are presented with a standard browse dialog which allows them to select any location on their system to which they have access.
Preparing for future security releases
The best way to make sure that your content is not affected by security releases is to stay informed. For the most current information on what you may need to do to respond to security change pre-communications, periodically check the Flash Player Developer Center and Adobe AIR Developer Center. The definitive information for changes that you need to make will be posted there.
You can also follow the blog of the Adobe Product Security Incident Response Team. The PSIRT blog will contain links to announcements of security changes in upcoming Flash Player releases that may affect your content and will also reference any security bulletins and advisories for our products.
You can find patch information for all Adobe products on the Security bulletins and advisories page. Here you can sign up for our notification service, which will notify you of our patch bulletins as they are released.