Announcing YUI 3.1.2: Critical Security Update for All YUI 3.1.x/3.2.0pr1 Users

By YUI TeamAugust 19, 2010

The YUI team released YUI 3.1.2 today. This is an important security update for all users of YUI 3.1.x and 3.2.0pr1. If you are hosting YUI 3.1.x or 3.2.0pr1 on your site, or if you use YUI 3.1.x/3.2.0pr1 IO's cross-domain functionality, you are affected.

XDR in YUI's IO utility implements a Flash transport as a fallback for browsers that don't support native XDR. An error in our implementation of the Flash fallback in YUI versions 3.1.x and 3.2.0pr1 allows the io.swf file to operate unsafely whether served from the Yahoo! CDN or from your own server. The remedy for this problem is twofold:

  • If you have deployed the full YUI 3.1.x/3.2.0pr1 build directory to your server, replace build/io/io.swf in the affected version with the version included in YUI 3.1.2. Do so whether or not you are using the IO utility or its XDR feature.
  • If you are using IO's XDR feature, upgrading to the 3.1.2 version of io-swf addresses the security problem. Host version 3.1.2 of io.swf on your own server (this file cannot operate safely from a CDN; it is not included on the CDN as of 3.1.2). If you have been drawing io.swf from http://yui.yahooapis.com, remove this domain from your crossdomain.xml file.

More details about this issue can be found in the IO utility documentation.