Handling Local Executables
Users who are not suspicious of
executables received over the Web won't have fully
functioning computers for long. To prevent the Flash Player from
running virulent code, the ActionScript environment is under strict
control. A SWF running in the Flash Player plugin or ActiveX control
in a browser is not allowed to run an executable on the
user's machine, such as by using
However, a SWF file running in the Standalone Flash Player (a
separate executable sometimes called a Projector) is allowed to
execute external applications using
as described at http://www.macromedia.com/support/flash/ts/documents/fscommand_projectors.htm.
Like any desktop application, the Standalone Flash Player constitutes
a potential security risk. To reduce the risk, Macromedia allows
to execute a file only if it is stored within a subfolder named
FSCOMMAND (case-insensitive) within the folder
containing the Flash Projector.
Now that you understand some of the security issues surrounding
Flash, let's look at some of the hacks to help you
protect your content [Hack #98]
against likely angles of attack [Hack #97] .