Menu Close

Adobe Flash Player Version 23.0.0.162 Released

Adobe Flash Player ​version 23.0.0.162 has been released by Adobe Systems.  Adobe Flash Player is a cross-platform browser-based application runtime that is required for viewing of certain applications, content, and videos.

 

Fixed Issues

  • Application with Embedded ActiveX (f-in-box) Crashes (4176988)

 

New Features

 

Mozilla NPAPI AsyncDrawing Support

Async Drawing refers to the method that the browser and Flash Player use to exchange a bitmap surface where Flash Player draws the SWF content. It is used only when the stage is composited with rest of the content in the browser window. This feature allows wmode “direct” (wmode opaque and transparent) to behave as “windowless” in hardware accelerated async drawing. It is not used in fullscreen mode, or in windowed mode where the plugin draws directly to its own window. If asynchronous drawing is unavailable for any reason, the plugin falls back to using the existing synchronous drawing model.

AsyncDrawing is supported in NPAPI Plugin on Windows desktop platforms only. It is currently available from FP version 23.0 in Firefox Nightly 51.0a1, the Firefox versions supporting the feature is yet to be announced. The choice of which Async Drawing path is used (hardware or software) depends on whether the browser supports hardware or software Async Drawing modes.

To disable AsynchronousDrawing support in Firefox, go to “about:config” in the search bar of the browser and set “dom.ipc.plugins.asyncdrawing.enabled” to false.

 

 

HSTS Support in Flash Player

Beginning with Flash Player 23, we have introduced support for HSTS (HTTP Strict Transport Security). HSTS is an IETF standard, which enforces user agents (browsers) to use HTTPS for communication instead of HTTP. HTTPS response may have a Strict-Transport-Security(STS) header field that requests the user agent to make further requests in HTTPS. Flash Player will now acknowledge the STS header in HTTPS response.

This will be particularly helpful when a SWF calls another SWF (child SWF) that is present in HSTS enabled server. Flash Player will acknowledge the STS header in the response and further request to the same domain will always be HTTPS. This feature will be helpful in mitigating protocol hijacking attacks and cookie hijacking.

 

 

Disabling local-with-filesystem access in Flash Player by default

Beginning with Flash Player 23, local-with-network permissions will now be applied to all local SWF content, regardless of the preference chosen at compile time.

Background:
When playing Flash (SWF) content from local filesystem, developers have historically been able to configure content to exclusively read from the filesystem, or communicate to the network. When this functionality was introduced over a decade ago, it enabled an interesting array of use-cases ranging from simple games to interactive kiosks. In context of modern web security, we believe that it is time to retire local filesystem functionality in the browser plugin.


Vast majority of Flash Player users and content will be unaffected by this change. This change only impacts Flash content played from the local filesystem, using the browser. Flash content hosted on the internet and local webservers, as well as the Standalone Flash Player remains unaffected.If you are a user who requires this functionality, these files can be added to the list of Trusted Locations in Flash Player.

Workarounds for Legacy Content:
We highly recommend that you only circumvent these controls to enable content from sources that they trust.

For Individuals:
For Internet Explorer, Edge, Firefox, Opera and Safari:
On the affected system, go to the Flash Player Settings Manager:
• Windows: Control Panel > Flash Player
Select the Advanced tab
In the Developer Tools section, click the Trusted Location Settings button
Click the “Add…” button and add relevant files and folders to the list


For Google Chrome (and other PPAPI browsers):


Navigate to the Settings Manager page
Choose Edit Locations > Add Locations from the popup list
In the text field that appears, type or paste the file/folder path that you’d like to trust
Click the “Confirm” button

Note:
Please be aware that the “Browse for files” and “Browse for folder” buttons do not function properly. You must manually type or copy/paste your path into the text field above the buttons to add the file or folder to the trusted list.


For System Administrators:

The legacy behavior can be restored by applying the EnableInsecureLocalWithFileSystem=1 flag to mms.cfg.

 

 

Video and Camera support for Stage3D by VideoTexture for Flash Player (Release)

In Flash Player 20 or earlier, use of video in Stage3D required use of the Video object, which is not hardware accelerated. It involved copying the video frame to a BitmapData object and then loading data onto the GPU, which made it CPU-intensive.


To address this limitation, Video texture object was introduced. It allows you to use hardware decoded video in Stage 3D content. Further, extending this capability in Flash Player 23 release, texture objects have been introduced to support the use of NetStream and Cameras in a manner similar to the use of StageVideo. These textures can be used as source textures in stage3D rendering pipeline. You can use them as rectangular, RGB, or no mipmap textures in rendering of a scene. They are treated as ARGB texture by the shaders which implies that the AGAL shaders do not have to bother about YUV to RGB conversion now. The shaders treat these textures as ARGB textures. This allows you to use the standard shaders with static images without any need for modification. When you render using these textures, the image that is used by the rendering pipeline is the the latest frame at that time. Though, there is no tearing in the video frame, if you use the same texture many times, some of these instances may be picked from different timestamps.


With the use of a VideoTexture object, all this work gets optimized internally – YUV to RGB conversion and texture loading can be completely moved to the GPU. See the VideoTexture devnet article for implementation details.
 


Microphone.getEnhancedMicrophone

To get access to device Microphone, we use Microphone.getMicrophone(). However, this API returns a simple microphone, which does not have the ability to eliminate acoustic echo. To remove the acoustic echo, developers must get an instance of Microphone using the API: Microphone.getEnhancedMicrophone(). The device microphone returned by this API has the acoustic echo cancellation feature enabled.

Requirements

– Add the following tag under Android manifest additions:
< uses-permission android:name=”android.permission.MODIFY_AUDIO_SETTINGS” />

– There may be pre-existing swfs that use Microphone. getEnhacedMicrohone () API (as it is already present and working for AIR desktop applications). If such swf files are packaged with the latest AIRSDK (version 23), the feature will not work. Developers need to recompile the swf with swf-version 34 or higher.

Sample snippet
Here is the example code snippet for this scenario:

public function Microphoe()
{
mic = Microphone.getEnhancedMicrophone();
mic.gain=60;
mic.rate =22;
mic.addEventListener(StatusEvent.STATUS, mic_status);
}

Limitations
Acoustic Echo Cancellation may not work on some devices (such as the Moto G2) because of hardware side limitations.

The API MicrophoneEnhancedOptions (present on AIR for desktop) will be a no-op on AIR for Android.

Performance of the feature can vary depending upon the hardware side handling of echo cancellation for different Android devices. For the devices that do not support Echo Cancellation at the hardware level, AIR will handle the echo cancellation from the software side.

Acoustic effects of the microphone class will vary according to the device. Because the Android Family has devices with different hardware configurations, the same audio settings will have different impact on different devices. For example, a developer may have to use “mic.gain = 70;” for Samsung Note 4 for loud output of the voice.

 

For a full list of features in Flash Player and AIR, including features introduced in previous releases, please review the document here

 

Known Issues

  • Firefox only, TextInput.setFocus() Does Not focus/place cursor inside control (4079841)
  • Firefox only,Japanese input conversion area appears outside the browser window, not on input area. (4132817)
  • KeyboradEvent.KEY_UP – KeyboradEvent.KEY_DOWN wrong charCode when shift key is pressed (4177611)



Security Updates

Adobe has released security updates for Adobe Flash Player for Windows.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

  • Adobe recommends users of the  Adobe Flash Player Desktop Runtime for Windows update to 23.0.0.162.
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 23.0.0.162 for Windows.
  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 23.0.0.162. 

 

 

 

Vulnerability Details

  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-4287). 
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932). 
  • These updates resolve security bypass vulnerabilities that could lead to information disclosure (CVE-2016-4271, CVE-2016-4277, CVE-2016-4278). 
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-6922, CVE-2016-6924).

 

Adobe Flash Player is one of the applications that is managed and updated by ODS.  If you are a current customer, ODS will automatically update your version of Adobe Flash Player over the next few days.  ODS will deploy both the ActiveX version and the Plugin version.  This ensures that Adobe Flash Player will function with web browsers including Internet Explorer, Firefox, and Chrome.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Adobe Flash Player. 

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at https://htechsolutions.biz/contact-us