Adobe Flash Player 11 Promises Security Improvements

Flash Player upgrade will add SSL and better crypto features, while Android version gets the ability to nuke Flash cookies.
Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
Slideshow: Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
(click image for larger view and for slideshow)
Adobe announced this week that it's putting the finishing touches on a new version of Flash Player that will provide new security and privacy enhancements on both the desktop and mobile versions of its application.

Notably, Flash Player 11--set to debut in early October--adds desktop support for SSL socket connections, as well as a secure, random number generator, both of which should help developers to better secure users' information. "Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn't meet the complete cryptographic standards for random number generation," said Adobe's Lindsey Wegrzyn, senior product manager for privacy, and Peleus Uhley, a platform security strategist, in a blog post.

Instead, Flash Player 11 will include a random number generator API that hooks into the cryptographic functionality built into the underlying operating system. "The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts," said Wegrzyn and Uhley.

For the first time, Flash Player 11 adds 64-bit operating system support. One upside of this will be more effective address space layout randomization (ASLR) for Linux, Mac OS, and Windows browsers that support ASLR in 64-bit mode. "Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR," said Wegrzyn and Uhley.

[ What is the future of Flash? Adobe Insists Flash Will Survive HTML 5 ]

The Android version of Flash Player 11, meanwhile, will also sport a number of security enhancements, some of them previously introduced for desktops as of Flash Player 10.3 in May. Notably, mobile device users will gain the ability to clear local shared objects--aka Flash cookies--from their browser. Other improvements include a device-native control panel for controlling Flash Player settings, as well as support for private browsing, aka incognito mode, although this feature will only work on Android Honeycomb (version 3.x).

Beyond these security and privacy enhancements, Adobe said Flash Player 11, as well as AIR 3--the new version of Adobe's cross-platform, Web application runtime environment, also set to be released next month--will offer high-definition video and three-dimensional rendering. Adobe said the new, underlying rendering engine, called Stage 3D (which runs on desktops and laptops, but not smartphones or tablets), renders 1,000 times more quickly than the engine built into Flash Player 10. As a result, Adobe is touting Flash Player 11 as a way to offer "console-quality games" to users, and said the technology will also support high-quality HD videoconferencing.

With AIR 3, Adobe is also adding support for three new platforms: iOS (including the iPhone and iPad), Android, and Adobe AIR for TV. In addition, AIR developers will be able to build their own, native extensions for AIR applications, which Adobe said may improve performance. Developers can also use these extensions to access native operating system and hardware features, "such as sensors (gyroscopes, magnetometers, light sensors, etc.), multiple screens, native in-app payments, haptic/vibration control, device status, and Near Field Communications," said Adobe.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.