Flash Player 9 Update


Congratulations Adobe Flash team on shipping the Flash Player 9 update on Tuesday!

This Flash update serves as a model implementation for how browser extensions can work with Protected Mode to keep users safe.

As most of you already know, on Windows Vista, IE7 includes a special feature called Protected Mode where the IE process runs with low privileges. This helps IE significantly reduce the ability of an attack to write, alter or destroy data on the user’s machine or to install malicious code. These defenses also limit legitimate actions like saving browser settings, which is why Protected Mode includes broker processes to handle IE’s elevated actions. Similarly, yesterday’s Flash update includes a broker process to handle Flash’s specific elevated actions.

Broker processes are the best way to safely handle elevated actions because they’re built to help contain an attack in the low privilege process. When developing a broker process for your extension, you should always assume that your extension is running in a compromised process. This means you should design your broker as if calls coming from your extension may be hijacked. You can safely handle hijacked calls by validating all input and by asking the user to make a trust decision in UI appropriate scenarios. For example, the IEUser.exe broker launches the Internet Options dialog when it gets a known call from Protected Mode. This prevents the Protected Mode process from silently changing the user’s browser settings such as the homepage or security slider.

Although most extensions are fully functional when running in Protected Mode’s low privilege process, some of these extensions work because Protected Mode’s compatibility layer redirects file and registry writes to a virtual store. We created the compatibility layer to get previously released extensions working. If you haven’t already done so, now is a good time to update your extensions to work with Protected Mode

Many thanks to the Adobe team for their close partnership and hard work in getting a Windows Vista-ready Flash Player 9 out.

Marc Silbey
Program Manager

Comments (57)

  1. Scott Graff says:

    I would like to add that this update also fixes problems with playing multiple http://www.youtube.com videos in multiple tabs or watching a http://video.google.com video full screen in IE7 on all platforms including Windows XPSP2 and Vista.

    Thanks Paul and team for the quick response!

    Scott Graff

    Program Manager – Microsoft

  2. JD on EP says:

    MS & Adobe: The two companies do compete in some areas, but cooperate in a whole lot more — both are big parts of our computing environment. Here, Marc Silbey of the Internet Explorer team tells how Tuesday’s release of the Vista-savvy Adobe Flash Player

  3. Mike says:

    Bogus, as usual.

    Protected mode only applies to standalone IE, not the web browser control.

  4. Jason says:

    But does this update support 64-bit Internet Explorer?

  5. Arieta says:

    Hm, many *.swf files still drop a page error when loaded natively…

  6. KevTech says:

    Protected mode does not work if you turn off one off the most annoying things in Vista – UAC

  7. GaryK says:

    i hate flash and refuse to install it. i have no idea how somebody can go to a website and expect to read or find what they want while those annoying flash programs are running, moving things around and distracting you from reading because some video is playing.

    you can keep flash

  8. James S. says:

    Hm.

    If protected mode is secure, it stands to reason that broker processes must be running before they’re requested, because the ability to start a process with higher privileges would be a risk, right?

    Does this mean that I’ll be running a bucket-load of crappy broker programs from people like Adobe (infamous for their browser-bashing PDF reader as well as the advertising medium they acquired from Macromedia) on the off chance that I need them? Or is the protected mode mechanism akin to the setuid bit in a unix?

    As a normal person, I haven’t used Vista yet, so I can’t check, but the possibility that I’m being asked to pay ever increasing costs in the name of security users bothers me. Especially since I suspect the biggest problems are caused by the type of person who would install two or three copies of anything for the promise of a free ring-tone.

    Above all though, my problem is this: I don’t trust third parties to create broker services. Third parties suck; they distribute unsigned code, they don’t patch their bugware properly (like, everyone’s up to date with flash, right?), they invent "creative" solutions to problems because they don’t have access to IE development expertise, etc… I’m sure you’ve thought these issues through, but you really haven’t explained it very well, and the impression I get is that broker services add long-term complexity for short term gain (like ‘Zones’, for example).

    Regards,

    James.

  9. dan says:

    @KevTech

    UAC is the best Windows Vista feature. Only stupid people like you want disable it.

  10. Benjamin Hawkes-Lewis says:

    Garyk,

    "i hate flash and refuse to install it. i have no idea how somebody can go to a website and expect to read or find what they want while those annoying flash programs are running, moving things around and distracting you from reading because some video is playing."

    Well, there are irritating uses of Flash (for ads, or to make background music, or without a text alternative). But Flash can also for good, for example to distribute videos you /want/ to see, or indeed, to educate, e.g. http://www.tenthdimension.com/ .

    But Flash’s potential as a serious medium for information or entertainment is deeply compromised by Adobe’s failure to make Flash content "accessible" to assistive technologies like screen readers in any browser other than Internet Explorer:

    http://tinyurl.com/y68flt

  11. Timb0b says:

    GaryK, while I see where you’re coming from – annoying ads gets me mad as well – I’d expect anyone to properly separate the technology from the usage some people give to it. You know, when Java started (97?), for me it was the equivalent of Applets. Every page had those annoying applets for fancy menus and I hated it. I navigated with applets off. Only years later I understood what a great technology Java was.

    The same applies to Flash. Sure, you can say animated/rich interface websites suck. Sure, you can say videos on the web suck, it’d better to have direct links for them. Sure, you can say instant-on, online multiplayer games suck, you could have them standalone and ported to three different OS’s using other technology. But this is like dissing HTML because it’s not like TXT; like dissing the Web because it’s not like FTP.

    After all, we’re just reading stuff online, so it’d be better to have it all on an FTP server, where we can browse to the dir we want, download the TXT of the content we want, and .AVI of videos we want, and even .JPG of what we want. It would be so much greater, right?

    It’s the way it’s used that counts. GIFs are also used for annoying ads and that doesn’t make the technology bad. Heck, I hate popup windows and that doesn’t make me hate the browser. The same applies to Flash.

  12. MarxMarvelous says:

    Marc – Any word on when we’ll see a 64-bit enabled Flash player?  It would be nice to be able to use the 64-bit IE 🙂

  13. harry says:

    Not sure if this is technically "off-topic" but I was told that MS employees weren’t allowed to install flash player version 9.  I assume this can’t be true given the nature of this post.  Perhaps there are some parts/depts of microsoft that aren’t authorized to install it?

  14. Aedrin says:

    "But Flash can also for good, for example to distribute videos you /want/ to see"

    The only real ‘good’ use for Flash is indeed to display videos or education (tutorials). People have caught on to that at least. But other than that I have not seen a good use other than trying to be cool. Any site that uses it mostly for the interface loses points in design, in my opinion.

  15. Fiery Kitsune says:

    I guess Garyk hates Youtube as well…

  16. Harry,

    There may have been some teams who could not install the pre-release Flash 9 due to compatibility issues or such, but I’ve never heard of any blanket rule prohibiting MS employees from installing Flash 9.

  17. David says:

    I want to second James’ concerns. If custom broker processes is the way that ActiveX controls should "reach outside of the box" on Vista, this _will_ be the new frontier for exploits. It is sufficient that _one_ popular control (Flash, perhaps) has a broker function like ExecuteSystemCommand() or WriteToAnyFile() and we will be back to square one again. I am stunned that this is the proposed solution. How could this be good news?

    I had, very naïvely, assumed that IEUser.exe included enough safe, public functions for ActiveX-controls to call so that custom brokers weren’t needed in Protected Mode. I am thinking along the lines of secure Open/Save dialogs, controlled ways to persist settings etc.

    Now, is there a security setting that allows me to disable custom broker processes but not ActiveX entirely so that I can continue to watch cute animations of flying pigs without exposing myself to exploits? It should be on by default.

  18. zzz says:

    What the . is up with the imdb.com site.

    They have a Flash ad that has space reserved for in the page but in IE7 it shows on top of the page, breaking the layout and making you scroll on every page:

    http://uk.imdb.com/

    Makes me regret installing Flash.

  19. zzz says:

    KevTech:

    You can change security policy so that UAC is still on and you get virtualization etc but no nagging prompts.

    Change

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    to Elevate without prompting

  20. Marc Silbey [MS] says:

    David and James S.

    I understand your concerns about broker processes and I also want all broker processes to be securely built so they help protect users.

    Brokers allow us to componentize our code and only allow code that needs higher privileges to get it. For example, Protected Mode does include a few APIs like IEShowSaveFileDialog() that call the IEUser.exe broker process. This API allows browser extensions to save files to the user profile without creating their own broker processes. Similar to why applications running in UAC will create broker processes to gain admin privileges, some browser extensions will need to write their own broker processes to gain user or admin privileges. Windows Update is a good example of a browser extension that needed to create a custom broker process to download and install software from the web. You can read more on broker processes in the UAC tech article here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

    End users can control whether a broker is launched through Protected Mode’s elevation dialog displayed here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp

  21. David says:

    Marc,

    Thanks for the information – I will definitely look into that. I am glad to hear that the IEUser.exe process does include some general purpose APIs that will hopefully be enough for most controls. But I am also worried why Flash needs something more "powerful"…

    Let me say this: I will be happily surprised if we will not see exploits where a code injection bug in component A is used to subvert the broker process of component B to install code on the machine. A and B might not be from Microsoft, and they will be written with nothing but good intentions, but the guys looking for ways to turn our computers into zombies have considerable financial incentives and will try everything.

    For those that want more features than the standard IE broker can offer, I have a suggestion: ClickOnce. It’s available on every Vista machine, you can run your app with full privileges if the user agrees to and even host IE very easily if you want to interact with a specific web site. Unlike the control-hosted-in-IE-model, a weakness in your ClickOnce application would be very hard, if not impossible, for a malicious web site to exploit.

    Keep up the good work!

  22. David says:

    Just a quick followup: Yesterday I (half-jokingly) suggested that a popular component with a broker process implementing functions like ExecuteSystemCommand() or WriteToAnyFile() would defeat the purpose of Protected Mode. Now, let me quote the Type Library of the FlashBroker COM server for the newly released Flash 9 control, by our good friends at Adobe:

     void BrokerCreateFile( fileName, readOnly, truncateOnOpen );

     void BrokerWriteFile( cookie, data );

     void BrokerDeleteFile( fileName );

     void BrokerLMLaunch( applicationName );

    Anybody scared yet?

  23. Arnold says:

    @David, yeah, count me in as one for "scared".

    This has (typically in the past) often been the issue… if you provide (process/application/site/?) higher privileges you then have to adjust your security defenses, to prepare for new attack vectors on the things with the higher privileges.

    oh well, time will tell.

  24. rc says:

    I wonder whether Internet Explorer Developer Toolbar will ever be updated. It is in "beta preview" state from March…

  25. Steven Johnson says:

    @David, BrokerCreateFile() and friends are constrained to operate only on the Flash Player’s normal subfolder in the user data folder (e.g., C:UsersusernameAppDataRoamingMacromediaFlash Player).

    Similarly, BrokerLMLaunch() will only launch certain digitally signed apps that are installed in the Flash Player’s subfolder.

    Preventing general filesystem access (and process launching) was a requirement our internal security team was careful to impose on the Broker API.

  26. Dave Massy says:

    rc,

    We are working on an update to the Developer toolbar and hope to make it available in the coming weeks. We have not forgotten it 🙂

    Thanks

    -Dave Massy [MSFT]

  27. MMesich says:

    Is it expected behaviour that I had to click "allow" about 20 times while installing it onto 64-bit Vista Ultimate?

  28. David says:

    Steven, it’s good to hear that something as widely spread as the Flash player has a responsibly written broker process. Let’s hope that all other controls that end up on millions of machines have brokers that can stand from some serious pounding by the bad guys.

  29. Koon Chong says:

    Hi, I made a review of both new versions of IE and Firefox today, could anybody give me feedback on that?

  30. steve_web says:

    If Dr. Nic (Rivera?*) posted this article:

    http://drnicwilliams.com/2006/11/22/debugging-javascript-in-ie7-how-to-clear-your-javascript-cache/

    about how the "delete files" options in IE7 doesn’t actually delete cached JavaScript?… is this true?… if so, what happened to "Delete Browsing History" solving all my "gift" giving dilemmas?

    PS Still waiting on the bug tracking site…

    PS Still waiting on the bug tracking site…

    PS Still waiting on the bug tracking site…

    * Any Simpson’s fan will recall our favorite ethically and intelligence challenged doctor. 😉

  31. IE7 disables Flash on the initial install, I can’t understand this. At least give the user the option to deactivate Flash during the initial install, just don’t automatically disable it.

  32. J Yeow says:

    There is still a small nag I have with the flash in IE7.

    http://www.adobe.com/

    flash movies freeze when the mouse is used.

    Not important, but an issue.

  33. Fduch says:

    Are saying there is a feature in IE7 called Protected Mode that can make me not vulnarable to frequent remote DOS attacks through IE7?

    I’ll belive you and try. But if you lied, prepare to die! Because God doesn’t like liars.

  34. Fduch says:

    IE7 is so damn fast

    Try visiting

    http://www.mind-control.com/orbital/projects.php

    Now I know why I don’t see Hihj-End Dual-Core PCs with "Designed For Intenet Explorer 7". That’s because current Dual-Core processors are too much slow for IE7. IE7 is "ready", CPUs aren’t.

  35. Benjamin Hawkes-Lewis says:

    Fduch,

    Seeing as that page consists of XHTML served as text/html, and there is no specification for how user agents should handle such markup save by copying the error handling of other user agents, and seeing further that it fails to even conform to the XHTML specification (31 validation errors, for example), I’d suggest you need to get those responsible to correct the markup /before/ blaming IE. Of course, it might still be slow after they fix the markup, but until that happens you don’t know whose fault it is.

  36. xyzzy says:

    Seriously, please fix this issue of IE stealing focus already. It’s unnecessary and annoying.

  37. Tony says:

    "PS Still waiting on the bug tracking site…" -steve_web

    If I read one of the previous chat transcripts correctly the bug tracker is down while they analyze the current listing to amalgamate similar bugs and prioritize critical updates.

    Once the planning stage is ready to begin for the next IE iteration the bug tracker will be re-enabled.

    My advice? Keep all found issues in a log with dates and when the bug tracker is active then submit all at once. Submiting them on the blog isn’t doing any good because they will be lost as time passes.

  38. Benjamin Hawkes-Lewis says:

    Tony

    "the bug tracker is down while they analyze the current listing to amalgamate similar bugs and prioritize critical updates."

    Rival projects seem to manage to mark duplicates and prioritize bugs without taking down their bug trackers. I grant you Connect may make even basic tasks more hassle than Bugzilla, but it wasn’t /that/ bad, surely?

    "Keep all found issues in a log with dates and when the bug tracker is active then submit all at once."

    Or perhaps add them to:

    http://easy-designs.stikipad.com/ie-next-wishlist

    which is backed by the Web Standards Project:

    http://www.webstandards.org/2006/11/04/you-can-improve-ie-next/

  39. IE7 seems to freeze on me alot, same problem like in the beta. Firefox works well.

    They both have their issues

  40. Fduch says:

    @Benjamin Hawkes-Lewis

    My only question: Why IE6 works normal/fast on that page and IE7 eats all CPU cycles?

    I like innovations of IE7, but I see too many degradations from IE6.

  41. steve_web says:

    Another bug…

    Generated form controls (via DOM methods), added to *any* form, are not accessible by name!

    e.g. lets create a control, (a checkbox, with the name ‘foo’)

    e.g. Any of the following will **FAIL**.

    var val = document.forms[yourIndex][‘foo’].value;

    var val = document.forms[yourIndex].elements[‘foo’].value;

    var val = document.forms[yourIndex].foo.value;

    var val = document.forms[yourIndex].elements.foo.value;

    And of course, it isn’t just the value, the object just isn’t added to the form’s named array… so if you want the length of an element, or details about the options of a select list, or the class/style attributes, you’re out of luck.

    As a horribly ugly workaround, you can iterate over the entire contents of the form, checking the name of each element against your desired name.

    PS This is broken in IE6 too.

  42. Fduch says:

    I love how this page zooms out.

    http://jehiah.com/archive/ie-vertical-align-top-vulnerability

    When I saw even underlines break, I LOLed

  43. Fduch says:

    @Aedrin

    How can you say IE has no bugs if you saw that wiki?

  44. Benjamin Hawkes-Lewis says:

    Fduch,

    "My only question: Why IE6 works normal/fast on that page and IE7 eats all CPU cycles?"

    I don’t know. Maybe Internet Explorer 6’s error handling happens to be better for that particular page than Internet Explorer 7’s error handling. I can’t see much point in debating the merits of how browsers handle individual bits of broken content. The content itself needs to be fixed, end of story.

    Aedrin,

    Ah, /that/ wiki. When you said wiki in a previous thread I’d assumed you meant the old feedback wiki which Microsoft abandoned when Internet Explorer went onto Connect. I’m not entirely persuaded about how "Microsoft backed" it really is, compared even to bug reports on this blog. Why isn’t it mentioned in the support section on the main Internet Explorer site?

    Still, while not by the slightest stretch of the imagination a replacement for the bug tracker, it’s better than nothing, I guess. Thanks for the link.

  45. steve_web says:

    Yet Another DOM Bug.

    Scenario:

    If you have window_a, and popup_window_b (which window_a created)

    Bug:

    If you create DOM elements/text nodes on window_a, you can’t add them to popup_window_b, you HAVE TO REFERENCE the popup window’s document, to both CREATE, and APPEND/INSERT the elements/nodes.

    PS, I’m not endorsing popups, in the advertising sense, I’m referring to web/browser based applications, where "widgets" of some kind are launched from the main application.

  46. anony.muos says:

    SO HAS THE IE TEAM FORGOTTEN ABOUT THE IE DEVELOPER TOOLBAR. WHO IS RESPONSIBLE FOR RELEASING THE FINAL STABLE VERSION?

  47. steve_web says:

    @someone

    Dave Massy indicated above:

    http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx#1120523

    That the developer toolbar is being worked on, and they are hoping for a new release in a few weeks.

    I know that feedback was full of bug reports on the toolbar too, but just a recap on some of the really annoying missing/broken features.

    1.) Doesn’t work on frames

    2.) Goes ‘disabled’ every now and then when moving/hiding other toolbars (yes, in the most recent version)

    3.) DOM Explorer is very awkward to use, is chromed in win95 controls, and you can’t scroll sideways to see all the details for attributes

    4.) DOM Explorer, remove the angle brackets from the nodes, they just take up space (left tree)

    5.) DOM Explorer, some nodes do not appear at all

    6.) DOM Explorer, provide better confirmation when applying attribute updates, that they are successful… better yet, ensure that editing **ALL** attributes is possible, e.g. under the covers, editing attributes better not be calling the DOM method .setAttribute() or many of the calls will fail.

    7.) Can’t pick n choose what CSS to disable…

    8.) No live CSS editing…

    9.) Outline color should change on nested elements (e.g. table cells)

    10.) Outline any element gets confused when you pick table, div or images (e.g. the other menu items)

    11.) View Image report chokes on & and ; characters in the parsing and won’t render properly.

    12.) No Show Image Titles option

    13.) DOM Explorer, iframe Doctype’s parsed as comments

    14.) SVG Support

  48. Fduch says:

    I don’t use developer toolbar, but I use ViewPage add-on (http://viewpage.maxthon.com/, http://viewpage.maxthon.com/VPSetup_1025.exe)

    steve_web, can you "compare" them? What can IE DevToolbar do?

  49. steve_web says:

    @Fduch

    Sure thing, I’ll give it a whirl tonite!  I can tell you now though, just looking at the screen shot shows a GUI that is much better looking!

  50. Fduch says:

    hehehe

    I’m waiting for the next blog post to do a little ad

  51. Aedrin says:

    "How can you say IE has no bugs if you saw that wiki?"

    I wasn’t aware I ever claimed that?

    All I’ve said is that IE is fine to work with.

    At least IE doesn’t force me to reboot my computer every day. And then they say IE uses up too much memory… Up, down, which way is it? Who knows.

  52. steve_web says:

    @Fduch, re:review of ViewPage…

    It is now a very welcome, permanent addition to my development tools!

    Live editing? yup!, readable & helpful DOM navigation? yup!, frames support? yup!, easy attribute/style editing? yup!

    If I have to make any complaints, I would just ask if an "outline" feature would be available, so that one can quickly see nested tables, etc.

    Otherwise, works as advertised and more!

    Steve

    ps I would also consider a revamp of the dialogs, to see if they can make use of the WindowsXP+ GUI controls (e.g. the softer scrollbars, rounded buttons, with 3-phase highlight etc.) Its not a big issue, but it would look very slick with the newer chrome.

  53. Fduch says:

    @Steve

    Can you explain the "outline" feature a bit. Is it selecting part of the page when you select corresponding DOM node?

  54. I realize that this is an off topic question, so apologies ahead of time for the "randomness" factor.

    Are there any plans to introduce the support for the

    multipart/x-mixed-replace Content-Type in IE7 or later versions of IE.

    This appears to be currently supported by Safari, Firefox and Opera browsers, it would be nice to have IE be part of the pack as well…

  55. steve_web says:

    @Fduch

    Sure, Outline is a feature, borrowed (i’m guessing) from the Web Developer toolbar for Firefox.  It allows you to draw visual outlines (usually 1px in width) around various elements on the page.  It lets you "see" some of the structure of the page, when viewing the rendered result.

    The Firefox outline tool, will let you outline any element on the page (as does the IE one), but the Firefox one, changes the color, when items are nested.

    e.g. if you are outlining table cells, <td>, then the first level will get a red outline, the next level in (e.g. child cells), will get a green outline, then blue, then repeat for each additional 3 levels.

    Ditto for block level elements like div’s <div>.

    Its a great tool, when you want to find out why one section of your page doesn’t line up, or why the padding in one area seems different than another, or why certain floats don’t appear to be working as designed.

    Here’s a screenshot, of Digg, with Block level outlines turned on…

    http://tinyurl.com/y6qhxm

    steve

Skip to main content