GetVariable/SetVariable crashes Internet Explorer with Flash Player 6

A few weeks ago a reader asked me if I knew why FlashObject would be crashing some of his user’s browsers. After a bit of investigation, it turns out that the new Flash version checking routine was crashing the Flash player, but only certain versions and only in Internet Explorer on PC.

Here’s what the crash looks like:
Flash Player crash

After some investigation, it turns out that the problem is in a few specific versions of Flash Player 6. If you are running Internet Explorer and Flash Player version 6.0.21, 6.0.23, or 6.0.29, the browser will crash if you call GetVariable or SetVariable (or a number of other methods that are built into the Flash Player plugin).

Since I don’t think that crashing your user’s browser is very acceptable, I’ve made a few changes to FlashObject. The detection script is a bit smarter now, and it will only try to do a minor version lookup (and possibly crash the user’s browser) if it really needs to. Most users of FlashObject probably aren’t using some of the more advanced features like ExpressInstall or doing minor version checks for specific Flash 6 versions. I’m sure they are out there, but the majority probably just checks for version 6 or 7 and are done with it.

Let me also say that I don’t think this is a major bug. Users who have these specific player versions AND use Internet Explorer are probably an extremely small number, but I also think it’s very important that developers know if their website might cause a user’s browser to crash.

This problem will also show up in other Flash detection scripts out there, including Macromedia[Adobe]‘s own Flash Player Detection Kit, and Bobby van der Sluis’ UFO script.

Because of this issue, I’ve made some changes to the FlashObject script. It will cause fewer crashes by avoiding the minor and revision version checking unless it’s absolutely necessary.

However, there are still a few conditions where FlashObject may cause a user’s browser to crash:
These assume that the user has one of the problematic Flash Plugins installed on their system and is using Internet Explorer – all other Flash versions and Browser combinations should be 100% safe.

  • When your site uses the ExpressInstall feature. Because the first Flash version to use ExpressInstall is version 6.0.65 we need to see if their Plugin can support it. Since we check and see that they have player version 6 installed, FlashObject will do the check to see what revision they have, which will crash the browser (again, only if they have one of the problem players – if they have version 6.0.65, the upgrade will start and everything will be just fine)
  • If you specify that your movie needs a plugin version higher than 6, but less than 7 (like 6.0.65), then the player will do the minor version lookup, and possibly crash the browser if they have one of the problem plugins.
  • Using the getPlayerVersion() function alone. You can see an example of this on my flashversion.html page. I use the function to simply check what version is installed. Because it’s an extensive check it will do the full version lookup and will crash the browser if the user has one of the problem player versions installed.

I’ll be releasing the new version of FlashObject with these fixes in the next few days. Or, if you are interested in checking it out now, drop me an e-mail and I’ll send you an advance copy to test out.

UPDATE: The new version of FlashObject is out (v. 1.3) – go get it, it fixes this problem in most cases, but it wasn’t possible to eliminate the issue entirely when using ExpressInstall or when specifically checking for the minor/revision numbers.

14 thoughts on “GetVariable/SetVariable crashes Internet Explorer with Flash Player 6

  1. My boss claims that our webpage is crashing his computers, I have not seen one crash yet. If you can semd me a copy of your modification, that would be awesome, I can not reproduce the crash, but this sure sounds like it. BTW the webpage koolbrains.com is supposedly crashing some IE brousers, do you see anyhting im doing wrong?

  2. This is actually probably a more serious bug than we can imagine. The possibilities of this being further exploited by websites is pretty large. If your right I hope they patch it soon.

  3. There is perhaps a way to close this hole a little bit further, though not 100%. You can use clientcaps behaviour to get the full version (including revision #) for Flash 6 on IE.

    ClientCaps cannot be used on WinXP SP2 to obtain the flash version, but it appears to be possible for previous Windows versions (I tried it on IE 5 Win98SE).

    Here is a sample tester using the clientcaps when version 6 is present (but uses GetVariable for other versions):
    http://www.pinlady.net/stuff/FlashTester.htm

    MS says that XP SP2 was changed to turn off clientcaps version checking for flash:
    http://www.microsoft.com/windowsxp/expertzone/chats/transcripts/04august12.mspx

    But perhaps this means that XP SP1, Win2000 (have not checked this one myself), Win98 would work.

    So then the only hole would be Flash 6 on XP SP2 (and all Later versions of Windows to come). But the number of SP2 systems and future Win systems with Flash 6 must be even smaller.

    Don’t know how much of a difference this makes though. Most people are probably using SP2 anyway.
    But I doubt anyone would install Flash 6 on Vista.

  4. Ok, I did not test it on SP1, since I don’t want to roll back my system from SP2.

  5. Well that’s interesting, I’ve never heard of this ‘clientcaps’ stuff before.

    If this turns into a bigger issue (I really doubt it will) then maybe I’ll adjust a bit, but for now I haven’t received more than a couple complaints about it.

  6. Here is a sample tester using the clientcaps when version 6 is present (but uses GetVariable for other versions):
    http://www.pinlady.net/stuff/FlashTester.htm

    MS says that XP SP2 was changed to turn off clientcaps version checking for flash:
    http://www.microsoft.com/windowsxp/expertzone/chats/transcripts/04august12.mspx

    But perhaps this means that XP SP1, Win2000 (have not checked this one myself), Win98 would work.

    So then the only hole would be Flash 6 on XP SP2 (and all Later versions of Windows to come). But the number of SP2 systems and future Win systems with Flash 6 must be even smaller.

  7. Pingback: jenna haze

  8. Pingback: jill kelly

  9. Pingback: testanchor443

  10. Pingback: testanchor361

Comments are closed.