Web developers should appreciate two of Adobe's latest open-source initiatives announced Tuesday, both designed to help media companies and other publishers build richer Flash applications.
The first project, Open Source Media Framework (OSMF), lets designers create more sophisticated media players to run Adobe Flash presentations. The second, Text Layout Framework (TLF), helps developers add more advanced typography and font layouts to their Flash apps.
Both OSMF and TLF are available for free as open-source applications.
OSMF is the open source piece of the Adobe project formerly known by the codename Strobe, a framework for Flash media players. Using OSMF, developers can create Flash players with not only advanced playback and navigation controls but also plug-ins for advertising and tracking, a key benefit for media companies. OSMF can work with any kind of Flash content, including video, audio, and images.
Developers can learn more about OSMF and download the source code and components at the OSMF Web site.
TLF lets developers add sleeker and higher-quality typographic layouts and effects to Flash presentations. In conjunction with the new text engine in Flash Player 10, TLF offers support for vertical and bidirectional text, flowing text around images and across columns, and multiple languages.
More information and a demo of TLF can be found at the Adobe Labs TLF site.
These latest two initiatives are part of Adobe's strategy to provide more robust programming tools for Flash. For the first time, Adobe is facing potential competition for Flash from other Web technologies, notably Microsoft's Silverlight.
Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.
The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions, the company said in an advisory.
To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted Web site, according to an advisory from security firm iDefense.
Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.
While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced last week. A patch is due by March 11.
Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.
There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.
"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."
One of the spam messages using Obama's election to entice people to download malware.
(Credit: Sophos)Within hours of settling the U.S. presidential election on Tuesday, spam seen worldwide began incorporating the name and image of Barack Obama, according to various security vendors. The U.K.'s Sophos reported 60 percent of all spam seen by the lab on Wednesday was in some way Obama related.
One piece of spam alleges to contain a link to video of Obama's acceptance speech. If you follow the video link within the e-mail message you will be taken to a Web page where you'll be asked to update your Adobe Flash Player with a file, adobe_flash9.exe, first. This is not an official Adobe update file and downloading this file may in turn infect your computer with a Trojan.
Sophos named the Trojan Mal/Behav-027. F-Secure named it W32/Papras.CL. Sunbelt Software also has a blog about this particular piece of spam.
Meanwhile, Websense is reporting a separate threat. An e-mail appears to be an interview with the new president elect. The e-mail features embedded links to a video site that attempts to install a file, BarackObama.exe. Downloading this file may infect your computer with a Trojan.
Flash Player 10 was code-named Astro.
(Credit: Adobe Systems)Astro is launched.
On Wednesday, Adobe Systems announced the release of a major update to its Flash technology to endow Web sites with better video, audio, and graphics. The new version 10 was code-named Astro, and it arrived just days after Microsoft released version 2.0 of its rival Silverlight software.
Flash Player 10, a free download also available for Windows and Mac users from Download.com, includes a number of new features:
• Easier-to-use 3D graphics effects.
• Better text handling for more sophisticated layouts combining words and graphics, more refined typography, and better multilingual applications.
• Better sound handling, so that different audio signals can be mixed together--for example, a music sound track with a game's audio effects.
• High-performance visual effects using technology called Pixel Bender that also works with After Effects CS4 and Photoshop CS4.
• Better abilities to tap into hardware acceleration.
• Adaptable video streaming that can adjust to changing network throughput.
Flash Player is a key part of Adobe's push to make Web-based applications more powerful. Adobe's Flex framework can be used to create applications that run on the Flash Player or as standalone computer applications running on AIR, the Adobe Integrated Runtime.
Flash and Silverlight aren't the only ways to make these so-called rich Internet applications, though. Silverlight, which drafts off Microsoft's strong developer base and its .Net programming technology, is a newer competitor. And JavaScript is growing up as a way to build more elaborate interfaces in Web applications. Flash, however, enjoys a very broad adoption, and users upgrade to the newer versions relatively swiftly.
Flash Player 10 also is used within Adobe's Creative Suite 4, a broad range of applications including Photoshop, Illustrator, Dreamweaver, and Premiere that just began shipping. Because control panels are written with Flash technology, CS4 menus can be extended by third parties more easily, and Adobe plans to release a Configurator by the end of the month that will make it easy to create custom control panels.
Update 11:25 a.m. PDT: One big Pixel Bender fan is online photo editing site Picnik. Flash Player 10 speeds the site and enables "mind-blowing effects." It also means third parties can create effects of their own using the Pixel Bender technology. See some examples below.
"Future plans with Flash Player 10 include the addition of super high‐resolution photo capabilities, more sophisticated editing features, and the ability to load and save photos without involving an upload to a server," Picnik said Wednesday.
One special effect enabled by Flash Player 10 on Picnik's online photo editing site.
(Credit: Picnik)
Another Flash Player 10 effect in Picnik.
(Credit: Picnik)
On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.
Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at the request of Adobe. In return, Adobe thanked the researchers.
In brief, the attack involves embedded objects on a maliciously crafted Web page. Using framed content or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse so that whenever the user clicks on something they see on the page (to see more search results on Google, for example) the user is also clicking to a unseen Web site that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) codes to further disguise itself.
In a blog, Guy Aharonovsky describes a process using clickjacking where Flash security settings can be changed to allow an attacker access to a PC's Webcam or microphone. This, he says, could create remote eavesdropping possibilities.
Although the demonstration page created by Aharonovsky has been disabled, his video demonstration shows a rigged click button as it randomly moves around the page. In reality, the click button under the mouse would be transparent or invisible to the user. In the background Aharonovsky shows the attack modifying the Flash privacy settings. Aharonovsky says "bear in mind that every Flash, Java, Silverlight, DHTML game or application can be used to achieve the same thing."
The flaws--there may be a half dozen or so specific vulnerabilities related to this--affect users of Internet Explorer, Firefox, Opera, Apple Safari, and Google Chrome. Turning JavaScript off within the browser won't work. The attack doesn't rely on JavaScript. Grossman commented: "Clickjacking is a well-known issue, but severely underappreciated and largely undefended."
Adobe advises users of Flash to set Adobe Flash Player Settings Manager to "always deny." This means that users will not be asked to allow or deny camera and or microphone access after changing this setting. Adobe says a Flash Player update addressing the issue will be available before the end of the month.
Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here
Additional US-CERT tips for securing other browsers can be found here.
Joost on Friday finally took an important step forward by announcing that its desktop software would be getting phased out to make way for a Web watching experience. The only problem is that special software is in fact still required--and we're not talking Adobe Flash.
Whether you're on a Mac or a Windows machine, you'll still need to install an executable file on your computer to view videos. The new plug-in sits on your desktop taskbar even when you're not viewing the site, and apparently only begins to pipe data back and forth to other users when you're watching Joost videos.
The new version of the site will be available for beta testers in about two weeks time, although I've had the chance to nose around and watch a few videos on it today. Despite the need for software, it's impressive. Videos start playing in just a few seconds and when toggled for full-screen, the quality scales up nicely.
Like before, there are pre-roll ads, although I found them less intrusive and disjointed than Hulu's experience. The only anti-user ad interference I stumbled across was when a pre-roll ad kept me from being able to scroll through content on a playlist. I had to wait about five seconds for the ad to run before I could get back to finding something to watch. Not cool.
The new Joost player runs right in your browser as long as you've got a small peice of software running on your machine. (click to enlarge)
(Credit: CBS Interactive)The biggest thing missing from the new Joost is the feeling of immersion. The Joost application, for all it's faults, took you away from your desktop and everything else you were doing. Like up and comer Boxee, which runs off the core of Xbox Media Center, it's something that had personality and a really marvelous UI. The new version feels a tad sterile, although when it comes to browsing through episodes and series, there's noticeably less lag, and hey, you can continue to get work done on your computer at the same time.
The Joost software sits in your taskbar, ready to serve up vintage Star Trek.
(Credit: CBS Interactive)Noticeably gone from the new Joost (at least for now) is the user chat. You can still comment on a video and favorite it, but the feeling of a real-time experience has gone out the door. There's also a feature called "shout it out" that lets you flag the video with various pop culture acronyms like LOL, HOT, PUKE, and the generally useful WTF. Clicking on any of these will play a canned sound clip and alert you of your flag, although it has no noticeable effect.
Ultimately the Joost experience comes down to the content and the various ways to dig through it to find something good. While the existing playlists are very good for this, when you're searching by TV network or content provider it's still difficult to simply browse by shows. For instance, clicking on MTV took me to a player that randomly began playing Laguna Beach. Ideally, it would jump me to a list of shows where I could drill down a little deeper--like what was available before.
Software aside, I'm excited to see Joost hop onto the Web. There's a lot of good content on there that you can't find elsewhere, and experiencing it in your browser will seem like second nature for newcomers--that is as long as they're willing to jump through a software hoop.
More screens after the jump.
... Read more
(Credit:
Microsoft)
Today, Microsoft announced the first public versions of its Silverlight application for creating and experiencing rich, interactive applications online. There are two different versions of the cross-browser plug-in: Silverlight 1.0 beta (download for Windows or Mac) and Silverlight 1.1 alpha (download for Windows or Mac).
The big difference between 1.0 beta and 1.1 alpha versions is that the 1.1 alpha allows developers to create Silverlight applications using .NET technologies such as C#. If you don't care much about that new advancement, you probably won't be too excited about some of the sample Silverlight applications that have been created.
To be fair, the downloads of the client only went public today, but the Silverlight gallery of applications is quite slim--eight for the 1.0 beta and seven for the 1.1 alpha, several of which are identical. The two that jumped out at me were the Grand Piano (for 1.0 beta) and Chess (for 1.1 alpha) applications. Grand Piano lets you play a full octave of a virtual piano via keyboard or mouse, and Chess provides a gaming environment with pluggable AI and two gameplay algorithms in both C# and JavaScript.
The Grand Piano application lets you tickle the ivories with your keyboard.
(Credit: CNET Networks)Aside from the sample applications in the gallery, there's also a sleek 20th Century Fox movie player built with Silverlight that's currently showing trailers for Fantastic Four, Pathfinder, and Live Free or Die Hard.
One big question about Silverlight is whether or not it will support Linux. Adobe caught a lot of flack from Web developers for being too slow to release a version of Flash 9 for Linux, which essentially forced Web site managers to maintain different content for Linux users. If Silverlight doesn't hit all the major platforms (Windows, Mac, and Linux), it may be difficult for site managers to adopt the technology.
It's obvious that Silverlight is a play by Microsoft to make a dent in the market share for Adobe Flash, which is the undisputed leader in the field of rich Internet applications. Considering that Flash has more than a 10-year head start on Silverlight, the new kid has his work cut out for him.
What's not obvious about Silverlight is whether or not Microsoft will take the same route as Adobe Flex and make any of the code open source. There have been rumors to that effect for months now, but the software giant has definitely not confirmed anything yet.
For further demonstration of the possibilities of Silverlight, check out a video of a prototype Netflix online-movie service in a Webware.com report from Microsoft's Mix 07 conference.
- prev
- 1
- next
