TechNote (Archived)

Stand-alone Macromedia Flash Player Update for Windows

Issue

The stand-alone Macromedia Flash Player 5 version 5,0,30,0 for Windows (installed with the Macromedia Flash 5 authoring tool) has a feature that allows authors to execute external programs on the client machine. While this feature is useful, it also can present a security risk. Macromedia has released an updated version of the stand-alone player for Windows. This update is primarily for Flash authors, or any other users with the stand-alone Flash Player installed on their system, including authors creating Windows projectors. Users are encouraged to read this TechNote thoroughly before updating.

The updated stand-alone Macromedia Flash Player 5,0,30,2 does not have the ability to execute outside applications. The player ignores the fscommand ("exec") action; all other content can be expected to function normally. This player also ignores an undocumented feature of the FSCommand as well, refer toPotential security issue with FSCommand "Save" (TechNote 16200) for more details. If you are a Flash author and require the use offscommand ("exec") in your projectors, please refer to the Additional information below.

Note: This update is not related to the Flash Player plug-in or Active X controls that users download to view Flash content in a web browser. This issue only affects the stand-alone player that executes Flash content outside a web browser.

Solution

Download and install the Flash Player Updater: flashplayer_updater.zip (498k).

After downloading, unzip the file and run the Flash Player UpdaterEXE. For best results, exit all applications before installing. If the installer is not able to locate the stand-alone player, please double-check that you do have the stand-alone Flash Player installed on your system. If the stand-alone player is not installed, the update is not required.

Note: The update will affect both the stand-alone Flash Player in the Flash folder and all Windows projectors created on the machine after the update. This update will not prevent fscommand ("exec") calls built into projectors created by outside sources. Do not open an EXE attachment or file if you do not trust the source.

Additional Information

Though the risk can be considered limited, Macromedia takes security very seriously. For a description of the potential issue with the previous stand-alone player, please refer to Potential stand-alone Flash Player issue and security update (TechNote 16154).

For help downloading files, refer to Downloading files from the Internet (TechNote 13686). For more information on fscommand ("exec"), please refer to the ActionScript Reference Guide or Flash Help system.

Flash authors who do NOT wish to update their stand-alone player have the following alternatives:

Download and run the SWF Clear Utility (an alternative, for specific Flash authors only)

Choose this option only if you are a Flash author and require the use of fscommand ("exec") in your Windows Projector files. This utility removes file type associations for the SWF file format to the stand-alone Flash Player. The result is that when opening any SWF file, the operating system will prompt you to choose a program to open the file with. If you choose this option, do not open a SWF file in the stand-alone player unless you trust the source.

Note: Reinstalling the Flash application will re-associate the file type. If you reinstall Flash, run the SWF Clear Utility again.
No security action (not recommended)

Advanced Flash authors may wish to retain their original stand-alone player, and keep file type associations for SWF files to the original player. Macromedia advises against this, but includes this option to notify authors that do not take security action to be cautious with certain SWF content.

These users should exercise caution when opening SWF files from e-mail attachments or downloaded from the Internet. Though SWF files played back inside a browser are secure, do not open any SWF file in the stand-alone player unless you are certain the content is not malicious.