Oh goody. Another SWF display conduit to keep an eye on :o(
Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files... I wonder what implication this has with regards to the security landscape surrounding malicious SWF. Are we going to have to watch out for PDFs which contain malicious SWF?
I simply do not have enough information to judge the safety implications (or otherwise) of this new Adobe Reader feature... I quote from the announcement on the Adobe reader blog:
"Adobe Reader 9 can natively display rich media content, which you'll notice immediately with Portfolios. Interested in viewing SWF and FLV files? Adobe Reader 9 is the answer."
The first thing that occurs to me that is our number one complaint about malicious SWF is that there is no way for the end user to stop the initial hijack that exposes them to malicious domains. If Adobe Reader 9 prompts for user permission before opening a web browser, then in that way Adobe Reader is a safer way to view SWF. If, on the other hand, the Reader allows an SWF to open a web browser without user interaction, then we are facing yet another conduit to danger.
Oh, and while I think of it - the ActiveX changes in Internet Explorer 8 have the potential to make things safer for users when it comes to malicious SWF (and other ActiveX controls). This is because IE8 will allow the user to choose to install ActiveX for all users, or just one user on the computer, AND it also will also introduce "per site" ActiveX. That is, when you are prompted to allow an ActiveX control to run, you will be able to choose to allow the control to run at that one web site, or all web sites. So, if you need Flash for one particular site, but don't want Flash to be available to other sites, then you will be able to approve Flash for just that one site - cool, yes?