Spectre / Meltdown Mitigations

In response to a class of recently disclosed vulnerabilities in popular CPU hardware related to data cache timing (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), known popularly as Spectre and Meltdown, we are disabling the ‘shareable’ property of the ActionScript ByteArray class by default and have added in jitter to our event and timer api’s.

 

EnableInsecureByteArrayShareable

Short Description: 

Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class.

Detailed Description:

EnableInsecureByteArrayShareable = [0,1] (0=false, 1=true)

This setting will allow Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class.  Shared ByteArrays are used to share data between threads with ActionScript “Workers.”  Shared ByteArrays are an advanced feature of the ActionScript API set and not commonly used in the vast majority of published Flash content.  For increased security, we recommend administrators leave this feature disabled.

 

EnableInsecureByteArrayShareableDomain

Short Description: 

Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class on a per-domain basis.

Detailed Description:

EnableInsecureByteArrayShareableDomain = domain name or IP address

By default, Flash Player 30 and above will no longer allow the “shareable” property of the ActionScript ByteArray API class.  The EnableInsecureByteArrayShareableDomain settings provide exceptions to that rule.  Administrators can create a “white list” of approved domain names or IP addresses to which the EnableInsecureByteArrayShareable setting will apply.  If the active security context is in the list of domains and IP addresses, then access to the sharable ByteArray property will be allowed.  Otherwise, sharable ByteArray access will be denied.

For domain names, prefixing a * wildcard is allowed.  For example, *.adobe.com would allow all Flash content with the “shareable” property to run on www.adobe.com, get.adobe.com, helpx.adobe.com, and so on. Wildcards are not allowed when specifying IP addresses.

For example, the following settings allow SWFs using the shareable ByteArray property to only run on servers at www.mydomain.com and 10.1.1.10:

EnableInsecureByteArrayShareableDomain=www.mydomain.com
EnableInsecureByteArrayShareableDomain=10.1.1.10

For domain names, prefixing a * wildcard is allowed.

Example:

EnableInsecureByteArrayShareableDomain=*.mydomain.com

This would allow all Flash content with the “shareable” property to run on www.mydomain.com, foo.mydomain.com, and so on. Wildcards are not allowed when specifying IP addresses.

 

EventJitterMicroseconds

Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.

 

TimerJitterMicroseconds

Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.

 

For information on managing the mms.cfg file, please see the Flash Player System Administrator’s guide, here:

http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

 

Leave a Reply

Your email address will not be published. Required fields are marked *