Posts in Category "Uncategorized"

Spectre / Meltdown Mitigations

In response to a class of recently disclosed vulnerabilities in popular CPU hardware related to data cache timing (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), known popularly as Spectre and Meltdown, we are disabling the ‘shareable’ property of the ActionScript ByteArray class by default and have added in jitter to our event and timer api’s.

 

EnableInsecureByteArrayShareable

Short Description: 

Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class.

Detailed Description:

EnableInsecureByteArrayShareable = [0,1] (0=false, 1=true)

This setting will allow Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class.  Shared ByteArrays are used to share data between threads with ActionScript “Workers.”  Shared ByteArrays are an advanced feature of the ActionScript API set and not commonly used in the vast majority of published Flash content.  For increased security, we recommend administrators leave this feature disabled.

 

EnableInsecureByteArrayShareableDomain

Short Description: 

Allows Administrators to override the Flash Player 30 and above default behavior of restricting the “shareable” property of the ActionScript ByteArray API class on a per-domain basis.

Detailed Description:

EnableInsecureByteArrayShareableDomain = domain name or IP address

By default, Flash Player 30 and above will no longer allow the “shareable” property of the ActionScript ByteArray API class.  The EnableInsecureByteArrayShareableDomain settings provide exceptions to that rule.  Administrators can create a “white list” of approved domain names or IP addresses to which the EnableInsecureByteArrayShareable setting will apply.  If the active security context is in the list of domains and IP addresses, then access to the sharable ByteArray property will be allowed.  Otherwise, sharable ByteArray access will be denied.

For domain names, prefixing a * wildcard is allowed.  For example, *.adobe.com would allow all Flash content with the “shareable” property to run on www.adobe.com, get.adobe.com, helpx.adobe.com, and so on. Wildcards are not allowed when specifying IP addresses.

For example, the following settings allow SWFs using the shareable ByteArray property to only run on servers at www.mydomain.com and 10.1.1.10:

EnableInsecureByteArrayShareableDomain=www.mydomain.com
EnableInsecureByteArrayShareableDomain=10.1.1.10

For domain names, prefixing a * wildcard is allowed.

Example:

EnableInsecureByteArrayShareableDomain=*.mydomain.com

This would allow all Flash content with the “shareable” property to run on www.mydomain.com, foo.mydomain.com, and so on. Wildcards are not allowed when specifying IP addresses.

 

EventJitterMicroseconds

Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.

 

TimerJitterMicroseconds

Setting this value to 0 disables an important mitigation for Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) style attacks, but may improve application performance in some limited circumstances.

 

For information on managing the mms.cfg file, please see the Flash Player System Administrator’s guide, here:

http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

 

GPU Preference Selection in AIR

AIR 28 has a feature where the AIR desktop application can be set to have a preference for the use of a specific GPU type:

  • The “discrete” (dedicated) for better performance, or
  • The “integrated” for better battery life.

This preference is set during the AIR application publication, thus ensuring that existing AIR content is not affected by this feature.

The new attribute in the application descriptor

For this feature, the gpuPreference attribute is introduced in the AIR application descriptor. AIR developers can specify either discrete or integrated for the attribute value to set a GPU preference. When the gpuPreference attribute is absent, the GPU type used is OS dependent, as is the case with previous versions of AIR.

<gpuPreference>(discrete|integrated)</gpuPreference>

Note: The value of the gpuPreference does not affect AIR applications that are launched by AIR Debug Launcher (ADL).

The support configuration for the feature

This feature is supported only on devices that are equipped with both an integrated GPU and a discrete GPU, and with OSes that support GPU switching functionality. Such a setup is more common on laptops than on desktops. This feature has been tested on Windows 10 devices equipped with Nvidia or AMD graphic cards, and Mac OS X version 10.12. In some cases, the effectiveness of the GPU preference selection has been device driver dependent.

Effectiveness of GPU Preference Selection.

Setting of the gpuPreference attribute does not guarantee the use of a GPU by the AIR application at all times. OS policies and device driver vendor tools settings may override the AIR gpuPreference attribute setting.

Note: AIR runtime forces Stage3D applications to use discrete GPU on Mac regardless of the value of the gpuPreference attribute. The intention of this enforcement is to avoid expensive cost of preparing the Stage3D rendering again such as loading of the GPU resources for adapting the change in the GPU type.

How to detect the assigned GPU type

The GPU type assigned to the AIR application can be detected by two ways, through a tool or a through a programmatic method. The detection works only when the renderMode attribute is set to direct.

Scout1) is a useful debugging tool to detect what GPU is assigned to an AIR application. GPU information is provided in “Session Info” in Scout, as shown in the following image.

Figure 1 : GPU information captured on Mac

Figure 2:GPU information captured on Windows

Known issues with the current version of Scout:

  • GPU information is not shown when an AIR application runs on top of DirectX11 on Windows 8 or above.
  • Scout lacks the ability to show proper GPU information if the GPU type being used is changed while the application is running. In such a scenario, AIR application needs to be relaunched so that Scout can capture what the current GPU is in the given setting.

The programmatical method to detect the GPU type assigned is through the use of the driver property of the StageVideoAvailablityEvent event. When AIR application registers an event handler for the StaveVideoAvailability event, the StageVideoAvailablityEvent event will fire upon assignment of the GPU type. In the event listener, the GPU information can be retrieved by use of the driver property. As a note, the driver property is available for AIR applications authored for SWF 26 or above.

References

  1. Getting Started With Adobe Scout : http://www.adobe.com/devnet/scout/articles/adobe-scout-getting-started.html

Beta News – Flash Player NPAPI for Linux

Flash Player and Linux

Linux users have access to both NPAPI and PPAPI versions of Flash Player.  However, for the last four years, the NPAPI version has been held at 11.2 and regularly updated with only security fixes while the PPAPI version (used in Chrome and Chromium based browsers), is in line with the standard Windows and Mac releases.

Today we are updating the beta channel with Linux NPAPI Flash Player by moving it forward and in sync with the modern release branch (currently version 23).  We have done this significant change to improve security and provide additional mitigation to the Linux community.

In the past, we communicated that NPAPI Linux releases would stop in 2017.  This is no longer the case and once we have performed sufficient testing and received community feedback, we will release both NPAPI and PPAPI Linux builds with their major version numbers in sync and on a regular basis.

Because this change is primarily a security initiative, some features (like GPU 3D acceleration and premium video DRM) will not be fully implemented.

If you require this functionality, we recommend that you use the PPAPI version of Flash Player.  That said, we believe that the new NPAPI build represents a significant step forward in functionality, stability, and security and look forward to hearing your feedback.

Currently we are distributing 32 and 64 bit binaries only, we will package these in proper installers after additional testing and feedback. Users should manually back-up their existing Flash Player plugin file from the appropriate system plug-in folder and copy the new binaries into place to use them.  Please note that our initial release does not support Fedora based distributions.  For more information, see our release notes.

You can download the new NPAPI binaries today by visiting the Adobe Labs download page.

Feathers 3.0: A New Major Version

Congratulations to Josh Tynjala and the Feathers open source project for the release of Feathers 3.0. Feathers offers a large collection of ActionScript user interface components and layouts for mobile and desktop. It is powered by both Starling Framework and Adobe AIR.

feathers-3-dot-0-final

What’s new in this release?

Many of the changes in Feathers 3.0 can be found under the hood, including bug fixes and architecture improvements. This version lays a foundation for new components and features in future versions.

Improved Performance When Idle

Feathers apps benefit greatly from the architecture changes in Starling Framework 2.0. CPU usage in static scenes has dropped to nearly zero with Starling’s new skipUnchangedFrames property. This means that apps built with Feathers should use less battery, which makes them better citizens on mobile devices.

Just take a look at this comparison made by Adobe Scout that shows an idle Feathers 2.3 app compared with the same app running on Feathers 3.0:

feathers-idle-performance

Skinning

In Feathers 3.0, the developer experience gets better too. Let’s look at some of the skinning improvements.

The Scale9Image, Scale3Image, and TiledImage classes are no longer necessary in Feathers 3.0 because Starling 2.0 now supports these capabilities natively in the Image class using the scale9Grid and tileGrid properties.

Here’s an example of using the scale9Grid property with an Image:

var image:Image = new Image( texture );
image.scale9Grid = new Rectangle( 3, 2, 6, 3 );
image.width = 100;
addChild( image );

For components that have more than one state (such as a Button that can be up, down or disabled), Feathers includes a new ImageSkin class that accepts multiple textures.

ImageSkin works a lot like Starling’s Image class, but it adds a new setTextureForState() method that can be used to pass in additional textures. Take a look at this example of using ImageSkin to skin a Button component’s states:

var skin:ImageSkin = new ImageSkin( upTexture );
skin.setTextureForState( ButtonState.DOWN, downTexture );
skin.setTextureForState( ButtonState.DISABLED, disabledTexture );
skin.scale9Grid = new Rectangle( 3, 2, 6, 3 );
button.defaultSkin = skin;

Migrating from Feathers 2.x to 3.0

Feathers 3.0 includes many more improvements, and some of them may require changes to your existing Feathers apps. Please read through the Feathers 3.0 Migration Guide for complete details about upgrading to this new major version.

feathers-migration-guide

You may also want to review the Starling 2 Migration Guide because it provides specific hints about upgrading Starling.

Get started with Feathers 3.0.0

You can find the Feathers UI 3.0.0 release notes on the project’s Github page. Developers are encouraged to download the latest stable version from the Feathers website.

TestFairy – A mobile beta testing platform

Have you been looking for ways to improve your mobile testing?  I’ve recently seen a demonstration from the folks at TestFairy and was blown away at the level of integration and functionality that they’ve made available to developers.  If you’re looking to improve the quality of the bug reports that you receive from your testers and you want easy integration into your AIR application, definitely check out TestFairy to see what they have to offer.  There are both free and paid plans available.

Check out the video below to see how easy it is to use and implement in your application!  The TestFairy ANE can be downloaded here.

Feathers UI 2.3.0 Update

Congratulations to Josh Tynjala and the Feathers open source project for the release of Feathers UI 2.3.0!  Feathers offers a large collection of ActionScript user interface components and layouts for mobile and desktop.  Feathers is powered by both the Starling Framework and Adobe AIR.

feathers date time spinner

What’s new in this release?

In version 2.3.0, Feathers UI includes a new DateTimeSpinner component and a number of powerful new features that have long been requested by the community.

The DateTimeSpinner component is a mobile-style date and time picker built with a series of SpinnerList components.

List and GroupedList now support the ability to display more than one type of item renderer in the same list. It’s now easy to style the first or last item renderer differently or to choose the type of item renderer based on the values of an item’s properties.

TextureCache makes it possible to reuse textures loaded from URLs, instead of potentially recreating them multiple times. It’s perfect for lists that need to display many images. TextureCache can save bandwidth, but watch out because it can require more memory.

TapToTrigger, TapToSelect, and LongPress make it easy to add simple gestures to custom components, such as item renderers.

Text renderers now support the ability to automatically change font styles when their parent component changes to different states. For instance, a text renderer used by a Button component can now detect when the button is being pressed, and the color of the text will be updated. Unlike previous APIs like downLabelProperties and hoverLabelProperties, this new approach can be more strictly type-checked by the compiler, leading to fewer mistakes in your code. Additionally, this feature can be used by other components with states, such as a TextInput (which may be focused or disabled).

Finally, this version also includes a new TopcoatLightMobileTheme, which is based on a contribution by Marcel Piestansky.

Example

Let’s look at a quick example of using a TextureCache class with a List:

var cache:TextureCache = new TextureCache(30);
var list:List = new List();
list.itemRendererFactory = function():IListItemRenderer
{
    var itemRenderer:DefaultListItemRenderer = new DefaultListItemRenderer();
    itemRenderer.iconLoaderFactory = function():ImageLoader
    {
        var loader:ImageLoader = new ImageLoader();
        loader.textureCache = cache;
        return loader;
    };
    return itemRenderer;
};
addChild(list);

In the code above, every ImageLoader that appears in the List will share the same TextureCache. As the List scrolls, the newly loaded textures will be saved, but existing textures will be borrowed from the cache.

Get started with Feathers UI 2.3.0

You can find the Feathers UI 2.3.0 release notes on the project’s Github page. Developers are encouraged to download the latest stable version from the Feathers website.

November Flash Runtime Update

If you hadn’t noticed, we updated both Flash Player and AIR last Tuesday (11/10) with new builds focusing on security and important bug fixes.  Flash Player was updated to 19.0.0.245 and AIR is now at 19.0.0.241.  AIR developers, please note that the AIR SDK and runtime were updated with a refresh of the embedded Flash Player plugin only.

Full details can be found, as always, in our release notes and Flash Player and AIR forum announcements.

But that’s not all!  November was our last scheduled v19 release and we’re now on track for a December launch of v20!  Head on over to Adobe Labs to pick up the latest Flash Player and AIR betas.   Make sure to check out the new AIR beta features like Android TV support, secure socket for iOS, and 64-bit support for OSX (Windows coming soon).  On the Flash Player side we’ve got improved PPAPI printing and now Windows 8/10 access to hardware acceleration options.  Full details in the release notes.

Flash Player guidance for Internet Explorer 11 and Microsoft Edge

A great deal of flash content, which works in Internet Explorer 10 or earlier, may behave incorrectly with Microsoft’s latest browsers. This blog post will list technical differences to help developers debug why their site might be broken in Internet Explorer 11 or Microsoft Edge.  This is truly a deep dive into the workings of Flash Player and browser detection.

For those that merely want our recommended best practice to embed Flash Player in your HTML code, the answer is simply use SwfObject 2.3.  Documentation can be found in the README on GitHub and on the Google Code pages.  If you use SwfObject 2.3, you can have high confidence that your content will load appropriately with all modern browsers.

If you are interested in learning more, make sure to check out the remainder of the article after the break.

Huge thanks to Peter Grandmaison and Jeromie Clark for their encyclopedic knowledge and guidance putting this post together.

Continue reading…

Flash Player Security Update Available

We’ve updated Flash Player with important security updates today.  For everyone enrolled in our auto update system (highly recommended), you’ll be automatically and silently updated within 24 hours.  For more details on this release, please see our security bulletin and release notes linked below.

Security Bulletin (APSB15-27)

Flash Player release notes

October Flash Runtime Update

Today the team has released our scheduled October update for Flash Player and AIR.  Flash Player 19 has received important bug and security fixes and the AIR runtime and SDK were updated to refresh the embedded version of Flash Player with today’s release.

Full details can be found in our release notes and Flash Player and AIR forum announcements.

I hope those of you that attended MAX this year had a great time!  I enjoyed meeting everyone and was blown away by the work being done by our teams and customers.

One final item.  For those targeting iOS 9 and interested in universal links, please take a look at the release notes.  You’ll find detailed instructions on how to go about using these with the latest AIR SDK.