Knowing Storyline (and other eLearning authoring tools) still exports and obscures to flash/swf for HTML5 and SCORM, etc. can anyone shed light on the security issues that might arise from Flash's latest - and never ending security flaws? I have clients that have raised concerns.
I can't recommend deleting the files - others in the community might. You can point directly to the story_html5.html link and that'll bypass the Flash output. But we're aware that some browsers, such as Firefox have changed how they're handling Flash content and you'll want to make sure you're using the latest version of Flash in the particular browser.
Please also know that we have a dedicated team focused on HTML5 as well as dedicated teams focused on playback via the Articulate Mobile Player. While we can't speak to future releases, we are aware of the decisions being made that impact the ability of web browsers to display Flash content and are actively working to make sure that our content will work on all major web browsers.
Thanks Ashley. Just did a quick test from the latest version of FIrefox with Flash disabled and installing an additional flash blocker, then deleted all swf support files from the Storyline output. Everything worked fine for me when launching from story_HTML5.html.
Happy to hear it Jim - and if you'll be pointing directly to the HTML5 output and removing all Flash it's also worth noting these are the browsers we support for HTML5.
I love, love love the idea of using Flash less and less. But it feels super important to clarify the method by which these types of vulnerabilities work.
The storyline generated Flash files are not something that would allow the vulnerability to work. To be vulnerable, folks need:
The right versions of the Flash player
To visit a site that contains maliciously coded swf's
In every case of vulnerability, visiting a site either through trickery or dark side exploration is the only way you can get infected / violated. And in the case of MOST Flash, Java, and browser vulnerabilities, the vector of attack is extremely sophisticated and no attacks have actually been seen in the wild. I really wish the articles that erupt every time there is a vulnerability would spend as much time on the realities of the vulnerability as they did raging and hating on the Flash player.
Deleting your swf files is not necessary. If the machine in question does not have the Flash player, the output will automatically switch over to the HTML output.
To add to Jim's question, I have several clients present and past that have contacted me this week with concerns. All our (their) products are published in the HTML5 output and I've explained (not as well as Steve just outlined) that we're fine. Add the securities and firewalls of "most" client environments and LMSs, I believe Storyline's Flash output is not in jeopardy.
That said, the browsers have spoken and some are yelling. Articulate is a software company first, and a fine one at that. Rest assured when Ashley says there is a dedicated team working on this, you should be comfortable knowing you have a team working in the shadows for you.
The best outcome here, in my view, is the demise of older browsers:) If the outrage and hyperbole over Flash player vulnerabilities (which were fixed the day they were reported) result in the disappearance of IE8, IE9, and IE10... it will be worth it:)
Thanks Steve - incredibly well written and a great reminder. And thanks for the vote of confidence Kevin - our "team is the shadows" doesn't always get a lot of recognition - but they're working hard and pretty awesome!
Regarding your assertion that Flash attacks are not seen in the wild, I can assure you that is completely false. I can only assume you are talking about something else, otherwise the CVE scoring for the 103 Critical Flash vulnerabilities in 2015 would not be “10”, as two of the variables that contribute to such a high rating are exploitability and complexity.
The latest Flash zero-days were included in all popular exploit toolkits within 24 hours of their announcement. Inclusion in these toolkits makes the exploit available to relatively unsophisticated attackers.
Was referring to the latest vulnerability that caused Firefox to deactivate the Flash player. There are exploits in the wild for some vulnerabilities. However, I am not aware of any reported issues (am now that Phil shared the article) with the latest discovered exploit before patching. I think what they're getting at is the significant risks for folks that are not patched.
As I mentioned before, the risks are higher for folks that click-through phishing links or hit sites that have either fallen victim to other attack or have intentionally been constructed to distribute an exploit.
The point of all of this is to say that the risk isn't the same for all. If folks 1) patch their player and 2) only hit trusted sites / content, their risk nears the extreme end of low (not zero). Refuse to patch your player and only hit trusted sites / content, the risk is marginally higher. Not patching your player and hitting every link you get in email and your spam folder will expose you to all kinds of ugliness. But this is a risk whether or not you have the Flash player installed.
And that's where the hyperbole and outcry really starts to create a problem. Deactivating the Flash player is a solution with other business consequences (for the short term). Could be worth it for some. But anyone who thinks that eliminates risk of security exploits is deluding themselves. And many simply use Flash player vulnerability as an extension of group think bias.
I'm all for using Flash media less. But for many, it simply isn't a great option. I still have Flash content that runs exactly as it did 15 years ago within the Flash player. No changes required. I also have HTML content that runs as it did (mostly) 15 years ago. But these aren't equivalents. I have HTML5 content that I can't get to run 100% consistently across platforms... Because browsers. Reality presents tough trade-offs. If we're going to argue about the disappearance of a cross platform reliable (within reason) technology, we should probably look at things from more than one perspective:)
Just a curious follow up question. Why does Articulate still publish various support files in swf format when choosing HTML5 output? Legacy support of some sort? Again, I've tested the HTML5 output in various browsers AFTER deleting all swf files from the published output folder and everything worked as normal for me.
There currently isn't an option to publish exclusively to HTML5. I suspect this is because, originally, the Flash version operated MUCH better than the HTML5. The tables have turned a bit and HTML5's output is a lot better than it was during version 1. It may not be long until there is a "Publish exclusively for HTML5". I would definitely use this as it shrinks packages by around 1/2. Put in a feature request! I'll do the same.
21 Replies
Also, can I just delete all swf support files and just link to story_HTML5.html without losing any features or experience any other unforeseen issues?
Hi Jim,
I can't recommend deleting the files - others in the community might. You can point directly to the story_html5.html link and that'll bypass the Flash output. But we're aware that some browsers, such as Firefox have changed how they're handling Flash content and you'll want to make sure you're using the latest version of Flash in the particular browser.
Please also know that we have a dedicated team focused on HTML5 as well as dedicated teams focused on playback via the Articulate Mobile Player. While we can't speak to future releases, we are aware of the decisions being made that impact the ability of web browsers to display Flash content and are actively working to make sure that our content will work on all major web browsers.
Thanks Ashley. Just did a quick test from the latest version of FIrefox with Flash disabled and installing an additional flash blocker, then deleted all swf support files from the Storyline output. Everything worked fine for me when launching from story_HTML5.html.
Happy to hear it Jim - and if you'll be pointing directly to the HTML5 output and removing all Flash it's also worth noting these are the browsers we support for HTML5.
I think it's high time for Storyline to provide a true HTML5-only publishing option.
Story_html5.html works like a charm for me on Windows 8.1 IE 11 also. ;-)
I love, love love the idea of using Flash less and less. But it feels super important to clarify the method by which these types of vulnerabilities work.
The storyline generated Flash files are not something that would allow the vulnerability to work. To be vulnerable, folks need:
In every case of vulnerability, visiting a site either through trickery or dark side exploration is the only way you can get infected / violated. And in the case of MOST Flash, Java, and browser vulnerabilities, the vector of attack is extremely sophisticated and no attacks have actually been seen in the wild. I really wish the articles that erupt every time there is a vulnerability would spend as much time on the realities of the vulnerability as they did raging and hating on the Flash player.
Deleting your swf files is not necessary. If the machine in question does not have the Flash player, the output will automatically switch over to the HTML output.
Well said, and thank you for eloquently reducing hyperbole to actual reality, Steve.
To add to Jim's question, I have several clients present and past that have contacted me this week with concerns. All our (their) products are published in the HTML5 output and I've explained (not as well as Steve just outlined) that we're fine. Add the securities and firewalls of "most" client environments and LMSs, I believe Storyline's Flash output is not in jeopardy.
That said, the browsers have spoken and some are yelling. Articulate is a software company first, and a fine one at that. Rest assured when Ashley says there is a dedicated team working on this, you should be comfortable knowing you have a team working in the shadows for you.
The best outcome here, in my view, is the demise of older browsers:) If the outrage and hyperbole over Flash player vulnerabilities (which were fixed the day they were reported) result in the disappearance of IE8, IE9, and IE10... it will be worth it:)
Disappearance of all IE would be good.
Many thanks for the information. I'll pass along to my client.
Thanks Steve - incredibly well written and a great reminder. And thanks for the vote of confidence Kevin - our "team is the shadows" doesn't always get a lot of recognition - but they're working hard and pretty awesome!
From the client:
Regarding your assertion that Flash attacks are not seen in the wild, I can assure you that is completely false. I can only assume you are talking about something else, otherwise the CVE scoring for the 103 Critical Flash vulnerabilities in 2015 would not be “10”, as two of the variables that contribute to such a high rating are exploitability and complexity.
The latest Flash zero-days were included in all popular exploit toolkits within 24 hours of their announcement. Inclusion in these toolkits makes the exploit available to relatively unsophisticated attackers.
Thoughts?
http://www.intego.com/mac-security-blog/adobe-patches-flash-security-flaw-under-attack-in-the-wild/
“Adobe is aware of a report that CVE-2015-5119 is being actively exploited in the wild,”
As Steve points out you must have the affected player and visit a site that has the exploit.
The courses published in Storyline will not make the client more vulnerable
Hey Jim -
Was referring to the latest vulnerability that caused Firefox to deactivate the Flash player. There are exploits in the wild for some vulnerabilities. However, I am not aware of any reported issues (am now that Phil shared the article) with the latest discovered exploit before patching. I think what they're getting at is the significant risks for folks that are not patched.
As I mentioned before, the risks are higher for folks that click-through phishing links or hit sites that have either fallen victim to other attack or have intentionally been constructed to distribute an exploit.
The point of all of this is to say that the risk isn't the same for all. If folks 1) patch their player and 2) only hit trusted sites / content, their risk nears the extreme end of low (not zero). Refuse to patch your player and only hit trusted sites / content, the risk is marginally higher. Not patching your player and hitting every link you get in email and your spam folder will expose you to all kinds of ugliness. But this is a risk whether or not you have the Flash player installed.
And that's where the hyperbole and outcry really starts to create a problem. Deactivating the Flash player is a solution with other business consequences (for the short term). Could be worth it for some. But anyone who thinks that eliminates risk of security exploits is deluding themselves. And many simply use Flash player vulnerability as an extension of group think bias.
I'm all for using Flash media less. But for many, it simply isn't a great option. I still have Flash content that runs exactly as it did 15 years ago within the Flash player. No changes required. I also have HTML content that runs as it did (mostly) 15 years ago. But these aren't equivalents. I have HTML5 content that I can't get to run 100% consistently across platforms... Because browsers. Reality presents tough trade-offs. If we're going to argue about the disappearance of a cross platform reliable (within reason) technology, we should probably look at things from more than one perspective:)
Thanks for that link, Phil. Good info. I stand corrected. Looks like there aren't reports for the Mac;)
Wish there were more statistics for these to indicate saturation (how many users), attack vector (link in email, hijacked site).
Thanks Phil and Steve!
Just a curious follow up question. Why does Articulate still publish various support files in swf format when choosing HTML5 output? Legacy support of some sort? Again, I've tested the HTML5 output in various browsers AFTER deleting all swf files from the published output folder and everything worked as normal for me.
Hi Jim -
There currently isn't an option to publish exclusively to HTML5. I suspect this is because, originally, the Flash version operated MUCH better than the HTML5. The tables have turned a bit and HTML5's output is a lot better than it was during version 1. It may not be long until there is a "Publish exclusively for HTML5". I would definitely use this as it shrinks packages by around 1/2. Put in a feature request! I'll do the same.
The more feature requests the better. ;)
Thanks Steve for continuing to educate us all here!
This discussion is closed. You can start a new discussion or contact Articulate Support.