Handling Local Executables

Users who are not suspicious of executables received over the Web won't have fully functioning computers for long. To prevent the Flash Player from running virulent code, the ActionScript environment is under strict control. A SWF running in the Flash Player plugin or ActiveX control in a browser is not allowed to run an executable on the user's machine, such as by using fscommand("exec").

However, a SWF file running in the Standalone Flash Player (a separate executable sometimes called a Projector) is allowed to execute external applications using fscommand("exec"), as described at http://www.macromedia.com/support/flash/ts/documents/fscommand_projectors.htm. Like any desktop application, the Standalone Flash Player constitutes a potential security risk. To reduce the risk, Macromedia allows fscommand("exec") to execute a file only if it is stored within a subfolder named FSCOMMAND (case-insensitive) within the folder containing the Flash Projector.

Now that you understand some of the security issues surrounding Flash, let's look at some of the hacks to help you protect your content [Hack #98] against likely angles of attack [Hack #97] .