Microsoft Security Bulletin MS11-018

Microsoft will today (2011-04-12) start to push out cumulative update that affects amongst others Internet Explorer 6 and Internet Explorer 7.

For these two browsers easyXDM provides a transport called NixTransport, which was derived from the work done on the Apache Shindig project, and this transport works by exploiting one of the security holes closed with this security update.

Most home users will receive this update tonight, or early next morning from Windows Update, and corporate/enterprise users per their respective update schedules, but thanks to some people in the loop I was informed of this yesterday and have had time to prepare a transport that replaces the NixTransport for IE6 and IE7.

The new transport is called FlashTransport and utilizes an AS2 swf and its LocalConnection capabilities to relay data between domains. It is on par with the other A-grade transports with regards to speed, but it does require that Flash is installed (6+) in order to function. Without Flash, one of the lower-grade fall backs will be used instead.

Anyways; in order to still be able to support IE6 and IE7 after this update from Microsoft is pushed out you need to upgrade to v2.4.12 (get the zip at gihub).

How to upgrade

Upload the new easyxdm.min.js file together with the new easyxdm.swf file and add the following to your transports configuration:

swf: "absolute/or/relative/path/to/easyxdm.swf"

You MUST only reference one of the domains `easyxdm.swf`files, and preferably the providers (fits with regular use cases too), and there is no need of any `crossdomain.xml` files.

For those who are interested in the inner workings, here they are:

This entry was posted in Blog and tagged , . Bookmark the permalink.