02.29.08

Mac OS X 10.5.2 Special Report: Adobe application slowness, fixes

Posted in Flash at 3:03 am by Saran

Various Adobe applications may be extremely slow to launch after the Mac OS X 10.5.2 update. Clearing font caches may resolve the issue.

MacFixIt reader Jeffrey HIldt writes:

“Using Insidersoftware’s Font Smasher (the co. that makes Font Agent Pro, my font mgmt. choice) I cleared the font caches of my system and Adobe apps and that seems to have done the trick.  At least Ps is staying open without going into a Program Error loop.

You can use Smasher, like Jeffrey, or Linotype’s FontExplorer X (in the application, choose Tools > Clean System Font Caches and Tools > Clean Application Font Caches).

02.28.08

Adobe AIR security.

Posted in AIR at 3:13 am by Saran

Today marks the official release of Adobe AIR, a platform for developing desktop applications using web-based technologies. Let’s see what this tool offers and what security implications it carries.

Adobe AIR (once known as Adobe Apollo) is a run-time environment that bundles several web-enabling technologies and makes them available on the desktop. According to Adobe’s Mike Chambers, Adobe AIR “leverages a number of open source technologies,” including:

  •  Tamarin - implements JavaScript/ECMAScript, used in Firefox, Flash
  •  SQLite - lightweight database engine
  •  WebKit - renders HTML, used by Konqueror browser in KDE and Safari

Adobe AIR allows developers who know how to write traditional web-based applications to use their skills (HTML, AJAX, Flash, etc.) to write local desktop applications. Applications built using Adobe AIR include AOL Top 100 Videos player, eBay Desktop, and NASDAQ Market Replay.

ISC reader Richard Gurley  emailed us a question regarding security concerns associated with the this powerful development platform. Two categories of threat vectors come to mind:

  • A malicious Adobe AIR application may act as a trojan and do “bad things” to the victim’s local system.
  • A web-style vulnerability (XSS, etc.) in an Adobe AIR application may allow an attacker to target the application’s data or the victim’s local system.

Desktop-Specific Threats of Adobe AIR Applications

The set of first threat vectors is similar across desktop applications that run locally. Adobe implemented sandboxing to limit some actions a local Adobe AIR application. Adobe’s documentation makes it clear that the sandboxes are not meant to mimic the rigorous restrictions of a web browser’s sandbox. Adobe AIR FAQ points out that “applications deployed on Adobe AIR have powerful desktop capabilities and access to local data.”

Adobe AIR applications need to be digitally signed, to assist the end-user in determining whether to trust the application’s author. However, the certificates can be self-signed, and many users will ignore the trust warnings and run even those applications that come from untrusted sources. This is not a new issue, and it is not unique to Adobe AIR.

Ron Schmelzer, an analyst at ZapThink, expressed his concerns with the ability of existing anti-virus tools to protect against rogue Adobe AIR applications in an October 2, 2007, InfoWorld article:

 ” ‘The current generation of spyware, virus, and malware [detection] products have no visibility into running AIR programs,’ Schmelzer wrote in an e-mail. ‘As such, there is a high possibility for malicious AIR applications — which are no longer security-restricted to the browser sandbox and are free to manipulate local machines — to spread into the wild.’ “

I am more optimistic about the ability of existing anti-virus suites to detect improper actions of an Adobe AIR application through behavioral techniques that observe any local programs. Such techniques involve checking for suspicious registry, file system, and network actions that a malicious application would exhibit regardless of the framework within it operates. However, since I have not experimented with Adobe AIR applications, this is purely a hypothetical assessment. (Perhaps those more familiar with inner-workings of anti-virus tools or with Adobe AIR applications would like to comment?)

Web-Specific Threats of Adobe AIR Applications

The other, and perhaps more significant set of threats to consider is tied to those of any web applications. Vulnerabilities in a web application could allow an attacker to launch attacks based on Cross-Site Scripting (XSS), SQL injection, local link injection, and other techniques associated with traditional web applications.

The most interesting security repercussion  of a platform such as Adobe AIR is that it merges traditional web application techniques with the more-permissive security models of local applications. Consider a hypothetical example where an Adobe AIR application allows the user to open and execute a local file. An XSS-style vulnerability in an application could allow a remote attacker to inject a malicious JavaScript into the application that would attempt to execute a local program of the attacker’s choice. This is more difficult to execute when the script runs within the confines of a web browser, than if the script runs within a more permissive sandbox of Adobe AIR.

Adobe’s Lucas Adamski wrote an excellent article describing the Adobe AIR security model. In his write-up, Lucas describes the two sandboxes implemented by Adobe AIR and outlines the security risks that the developers of Adobe AIR applications need to consider. He also points to the security documentation Adobe wrote to assist developers in addressing some of these challenges. Lucas highlights the need for developers to follow Adobe’s security recommendations to create resilient applications:

” However, the privileges inherent in a full desktop application mean the developer can sometimes find ways around these restrictions. The reality is that doing so will almost certainly introduce a large amount of security risk into the application and for the end users of the application. Thus Adobe strongly recommends that developers stay within the restrictions placed by the AIR security model, and carefully consider the cost of implementing rigorous security mitigations for bypassing them. In most cases the development cost of these mitigations will significantly exceed the cost of finding an alternative solution that stays within the bounds of the security model. “

Undoubtedly, many developers will be unaware of Adobe AIR security best practices or will knowingly take shortcuts that expose end-users to attacks. Will our destkop lock-down practices and anti-virus tools compensate for such conditions? I hope the answer is “yes,” but I suppose only time will tell.

02.22.08

Adobe pushes DRM for Flash

Posted in Flash at 3:58 am by Saran

Now Adobe, which controls Flash and Flash Video, is trying to change that with the introduction of DRM restrictions in version 9 of its Flash Player and version 3 of its Flash Media Server software. Instead of an ordinary web download, these programs can use a proprietary, secret Adobe protocol to talk to each other, encrypting the communication and locking out non-Adobe software players and video tools. We imagine that Adobe has no illusions that this will stop copyright infringement — any more than dozens of other DRM systems have done so — but the introduction of encryption does give Adobe and its customers a powerful new legal weapon against competitors and ordinary users through the Digital Millennium Copyright Act (DMCA).

we can see that the ability to openly download and remix video is part of a new ecosystem of amateur entertainment — watch Drama Prairie Dog and its countless responses:

02.19.08

Data Communication between JavaScript and Adobe Flash Movie

Posted in Flash at 9:45 am by Saran

Passing data to Adobe Flash Movie using JavaScript
In Web2.0 arena we frequently use Adobe Flash Movie and JavaScript in our web page. We often has the requirement to pass data to the Adobe Flash movie at runtime. This can be achieve through communication between JavaScript and adobe flash swf move. “setVariable” is a method available in javascript that is responsible for passing data from JavaScript to Adobe Flash SWF movie.

Syntax:
SwfMovieName.setVariable(variable name,data to be send);

Note on using setVariable:

  • setVariable requires an variable name. So a variable needs to be defined in adobe flash movie and the name of that variable is passed to the setVariable method
  • Also name attribute for the tag and tag is required to access the adobe flash movie object in javascript.
  • HTML Code: 
    <html>
<head>
<script LANGUAGE="JavaScript">
	function changetext(str)
	{
		if(window.flashmovie)
			window.document["flashmovie"].SetVariable("i", str);
		if(document.sample)
			document.flashmovie.SetVariable("i", str);
	}
</script>
</head>
<body>
	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="" ID="flashmovie" WIDTH=400 HEIGHT=80>
		<param NAME="movie" VALUE="sample.swf">
		<embed play="false" swliveconnect="true" name="flashmovie" src="sample.swf" quality="high" bgcolor="#FFFFFF" WIDTH=400 HEIGHT=80 TYPE="application/x-shockwave-flash"></embed>
	</param></object>
	<form>
		<p><input type="button" name="One" value="hello" onclick="changetext('hello')"/></p>
	</form>
</body>
</html>

    Explanation:

    • Here i have defined an function changetext inside JavaScript which will pass the data(function argument) to the flash swf movie
    • window object refers to Mozilla Firefox and Opera browsers. Whereas document object refers to the Microsoft Internet Explorer browser so i am checking for the flash movie object reference through if conditions
    • Finally i am calling the setVariable method to pass the data to the flash movie

    Action Script Code

    var i = "";

var j = setInterval(checki,10);

function checki()
{
	if(i != "")
	{
		myText = i + "123";
		clearInterval(j);
	}
}
    Here I have set an interval that will check whether variable i has  received any data. As soon as i receives any data it clears the
interval and assigns the data to myText. Where myText is the Variable  name of the dynamic textbox.

    • 02.15.08

    Vectors in ECMAScript 4

    Posted in AS3 at 4:11 am by Saran

    A new built-in class named Vector is proposed for ECMAScript edition 4. This class is similar to the Array class, but is designed for better performance, efficiency and error checking. Some interesting aspects of the Vector class:

    * vectors are dense;
    * vectors do bounds checking;
    * vectors can be fixed length;
    * vectors have type parameters;
    * vectors have the same methods as arrays.

    I’ll take a closer look at each of these bullet points, but first, here’s how the Vector class and constructor declaration will probably look in ActionScript, where ‘T’ represents a data type:
    final class Vector. { function Vector(length:uint=0, fixed:boolean=false) {} …. }

    The Vector class is is defined with the final attribute right now, which means that you cannot create subclasses. This could change, however, before the specification is finalized. The length parameter has a type annotation of uint, which means that the maximum vector size is 232-1 and the largest index value you can use is 232-2.
    Vectors are dense

    If you are familiar with ActionScript arrays, you know that they can have “holes” in them. For example, let’s say you have an array that has three elements and the length property is 3. That’s a “dense” array with no holes. However, I can write to an arbitrary index number and the array will automatically “grow” to accommodate me. For example, if I write to index 10, the length of the array will grow to 11, but the array will have a hole in it between index 3 and 9, inclusive. Or, you could look at it as having 7 holes, with each undefined element considered a hole. Having holes like this can really slow down the process of iterating through the array. Vectors, by contrast, are always dense. You cannot have holes in a vector. Every element of a vector is always defined.
    Vectors do bounds checking

    So what happens if I have a vector with three elements and I try to assign a value to index 10, as I did with an array in the previous paragraph? The short answer is that you get a runtime error (a RangeError to be precise). In fact, this happens even you just try to read from that index, much less write to that index.

    There is a little flexibility built in, however, for those who want to change the size of the vector. First, you can “grow” a vector by assigning to the very next available index. For example, if I have a vector with three elements (index positions 0, 1, and 2), I can directly assign a fourth element to index position 3. Second, I can alter the value of the length property to grow or shrink the size of the vector. For example, if I change the length to 11, I’ll increase the size of my vector so that it contains 11 elements. This is somewhat similar to how the length property works for arrays, but the significant difference is that with vectors, all 11 of the elements are defined. Both of these techniques, however, work only if the fixed property is set to false.
    Vectors can be fixed length

    You may have noticed that the second parameter to the Vector constructor function is a boolean named fixed. The default value is false, but you can set this to true either at construction time or anytime thereafter using the fixed property of the Vector class. Whenever fixed is set to true, any attempt to change the size of the vector will generate a runtime error, whether the attempt is made by assigning a value to the index number that is equal to the value of length or by directly changing the value of the length property.
    Vectors have type parameters

    You can use type parameters to designate that you want a “mono-typed” vector, which means that the vector can contain values of only one specific type. For example, you can define a vector that holds only integers and has a fixed length of 7 by declaring:
    var intVector:Vector. = new Vector.(7, true)

    The resulting intVector vector will be constrained to values of type int.
    Vectors have the same methods as Arrays

    The current plan is for the Vector class to have as many of the Array methods as possible. Vector will contain not only the traditional methods such as push(), pop(), slice(), sort(), etc., but also some of the newer methods such as every(), filter(), indexOf(), some(), etc. A complete list should be available soon on ecmascript.org.

    This only scratches the surface of the new Vector class. Rest assured that there will be more to come about this new built-in class as we move forward with the draft specification. Here are some relevant links on the ecmascript.org site:

    02.13.08

    ActionScript 3 Full Browser Background Image

    Posted in AS3 at 3:59 am by Saran

    Fairly simple ActionScript 3 implementation of a full browser background image.

    Class Features

      Supports minimum scale size, which if set, will clip rather than scale the image if the stage is resized below this point
      Dispatches a Loaded and Loading Event
      Supports a removal event

    View Example
    Here is an example; http://www.noponies.com/dev/as3_fullbrowser/

    Source Files
    Here are the relevant source file; ActionScript 3 Full Browser Background Files

    Dependencies
    Class uses tweenLite for alpha fade. This is one line, and is easy to remove.

    02.08.08

    Understanding The Architecture of a Rich Internet Application

    Posted in Uncategorized at 4:42 am by Saran

    This article i found on devnet. The same i am posting here.

    Whether you are using Flex, Ajax, Silverlight, JavaFx, or some other RIA technology, the basic architecture is going to be pretty similar… In most cases you will typically have have a stateful client application and a separate services layer on the backend. It is important to understand this differentiation, and to understand that this plays a huge role in how you design and build your applications.
    Architecture.jpg

    RIA lends itself more to client-server development, rather than tradition web development where state is maintained on the server in application or session scope. The client thus knows about itself, and types of data it is requesting. It will request only the data it needs from the server, and no extra markup. This often leads to a cleaner services layer and less-complicated server requests, even in some cases a reduced overall load on the server.

    It is also important to understand the sub-architectures within the overall architecture of the application. In the big picture, you have the client communicating with the server through a services layer. Whether you are using AMF remoting, XML over HTTP, JSON, or SOAP does not necessarily matter. There are pros and cons to each, which I may discuss at length in the future, but for now I’m focusing on the architecture itself.

    Each component of the larger architecture has an architecture of its own. You may hear people discussing the use of MVC in their applications, but the interpretation of MVC depends on who is doing the talking.

    Model-View-Controller (MVC) is a software architectural pattern where an application is broken into separate layers for the data model, the user interface (view), and the business logic. The logic, model, and views are decoupled, and communicate through an intermediary controller. This pattern enables both abstraction of logic, and reuse of code/components throughout the application. You can read more about MVC here.

    In traditional web development, there was basically a singular MVC. Where the page requests were handled by a controller, which delegates how a page is processed and how the how the data is inserted into the view (or how data is pushed into the model).

    In the RIA world, you really have two layers of MVC. There is an MVC inside of the client application itself, and an MVC in the backend services as well. Not every application uses a formal MVC or a full blown framework for handling the client and services, but each side typically has at least a rudimentary MVC-type of functionality.

    The MVC on the client manages the interaction between you and the user interface. You invoke commands, update views, load data, etc… The client MVC maintains the state of the application, handles all requests to the server for data, and controls how the data is presented in the view.

    The MVC on the server handles requests from the client. The services-layer MVC processes the requests from the client application, and delegates actions on the server. This could be saving data in a database, updating the file system, some kind of analytical processing, or returning chunks of data to the server. The big differentiation here is that there is no user interface. Instead of a user interface, the view would be the format of the data the is being returned to the client application. In this case the view would determine the result format (JSON, XML, etc…). Another benefit of a differentiated service layer is that you can already have the infrastructure built to create a public API on top of you services logic, if you have the need (or desire) to maintain one.

    There is no definitive choice of technology for RIA. You can do lots of cool things with lots of different technologies. Back ends can be written in Java, ColdFusion, PHP, Rails, .NET, etc… On the client side, there are established MVC frameworks for Flex/Actionscript and AJAX, some emerging ones for Silverlight, and adapted Java frameworks for JavaFX. The determination of both the back-end and the front-end should be determined by the needs and capabilities of your application, and also your existing infrastructure.

    02.05.08

    Flash video (FLV) bitrate calculator

    Posted in Flash at 3:17 am by Saran

    This FLV bitrate calculator was developed by Robert Reinhardt to help you determine the optimal bitrate at which to encode your Flash video files.

    for more details visit: http://www.adobe.com/devnet/flash/apps/flv_bitrate_calculator/