TechNote (Archived)

Authorware Web Player security overview

Note: The information contained in this TechNote is correct for historical versions of the Authorware Web Player, but not necessarily correct for Authorware Web Player, version 2004, released in June 2004. All users are encouraged to upgrade their web player.

Macromedia Authorware Web Player has built-in security features that protect the integrity of a user's system. Authorware applications can run in either nontrusting or trusting mode. Nontrusting mode protects users from running Web-packaged pieces that might cause damage to their system. Before the player runs a Web-packaged piece that for example requires access to user's hard drive, the user must say OK to a dialog box that asks whether the user wants to trust the URL from which the Web-packaged piece is coming.

If the piece is run in nontrusting mode, the player will not download external content files, Xtras, UCDs, and DLLs. Certain variables and functions, such as DeleteFile, SaveRecords, WriteExtFile, and FileLocation, are also disabled. If a Web-packaged piece attempts to access features that are prohibited in nontrusting mode, access will be denied and an error message will be generated.

If a user chooses to trust an application, the Web-packaged piece can take full advantage of Authorware's features, including Xtras, UCDs, and DLLs. If you're developing courses for a corporate or educational intranet, you can set up a Prefs.ini file on the users system that specifies trusted sites so the user does not need respond to a security dialog for every new course on your intranet.

Security and the Authorware Web Player 4.0x

Under certain conditions, the Authorware Web Player 4 (formerly known as Shockwave Authorware) will allow applications to call Scripting Xtras capable of accessing a user's hard drive even when the application is running in non-trusting mode. This security exposure only exists with some Scripting Xtras and under a specific, relatively uncommon scenario. For this reason, the level of risk for most users is considered to be low. A fix is available and outlined later in this TechNote.

The Authorware 4 Web Player does not automatically install any Scripting Xtras. However, a trusted Authorware 4 application could manually install Scripting Xtras via the application's Map file and leave them on the user's system by using the Recycle option. In this case, the user's system would then have a security exposure. If a user ran a non-trusted application from a mischievous 3rd party, it could call the Scripting Xtra and gain access to the users hard drive.

The scenario described above only poses a potential risk with Macromedia or third party Scripting Xtras that are installed on users system and that call "child" and "parent" methods via CallObject() and CallParentObject(). Scripting Xtras that rely on global method calls pose no risk.

For Authorware 4 applications that rely on Scripting Xtras that provide "child" and "parent" methods such as the FileIO Xtra, the Secure Xtra and certain custom Scripting Xtras, there is a procedural fix that addresses the security exposure and is outlined below.

Authorware 4 solution

To remove any security exposure, Authorware 4 developers should implement one or more of the following:

Verify that your existing applications do not manually download and recycle the FileIO Xtra, the Secure Xtra, or any custom Scripting Xtras that provide "child" or "parent" methods.
If necessary, delete the above referenced Xtras from the users system.
Do not manually download and recycle these Xtras in any future applications created with Authorware 4.0.

Macromedia Xtra File names reference table

Xtra	Windows 95, Windows 98, Windows NT	Windows 3.1	Macintosh
FileIO Xtra	fileio.x32	fileio.x16	FileIOXtraFat
Secure Xtra	secure.x32	secure.x16	N/A

Note: Installing the updated Web Player 5.0 will not address the security exposure for applications developed with Authorware 4.0.

Authorware 5 Attain

A software fix exists for all applications created with Authorware 5 Attain. An updated version 5.0 F2 or later of the Authorware Web Player contains a fix that rejects any calls to Xtras or system functions that could interfere with a users hard drive when the Web Player is running in non-trusting mode.

You can install and/or download the latest Web Player from Macromedia's Web site today:

http://www.macromedia.com/software/authorware/productinfo/webplayer/index.html

Removing the Authorware Web Player

If you wish to remove the Authorware Web Player from your or end users' systems, you may do so by following the steps outlined below:

For Windows: Web Player Plug-in (all Netscape browsers and Internet Explorer on Windows 3.1 only)

Go to the Netscape or Internet Explorer Plug-Ins folder.
Remove np32asw.dll and the np32asw folder or np16asw.dll and the np16asw folder.
To verify that you've removed all instances of the plug-in, we recommend that you search your hard drive(s) for np32asw.dll (Windows 95, 98, NT) or np16asw.dll (Windows 3.1).the empty column.

For Windows: Web Player ActiveX Control (Internet Explorer 4.0 on Windows 95, 98, NT)

Go to your "Downloaded Program Files" or "OCCache" folder under the Windows folder.
Right mouse click on the "Macromedia Authorware Web Player Control" item.
Select Remove.

For Windows: Web Player ActiveX Control (Internet Explorer 3.0 on Windows 95, 98, NT)

Search the drive where Windows is installed to find the location of your awswax.ocx file.
Select Run from the Windows Start menu and enter "regsvr32 /u " followed by your fully defined path and the file name.

For example:
"regsv32/u c:\windows\system\macromed\authorwa\awswax.ocx".
Next, manually delete the files under \Windows\System\Macromed\Authorwa.

For Macintosh:

Go to the Netscape or the Internet Explorer Plug-Ins folder.
On PowerPC systems, remove NP-MacPPC-AW-Shockwave and"NP-MacPPC-AW-Shockwave folder" and its contents.
On 68K systems, remove NP-Mac68K-AW-Shockwave and"NP-Mac68K-AW-Shockwave folder" and its contents.
To verify that you've removed all instances of the plug-in, we recommend that you search your hard drive(s) for the above referenced files and folders.