Menu
Flash-based vulnerability lingers on many websites three years later

Flash-based vulnerability lingers on many websites three years later

A large number of developers have failed to patch their Flash applications against a vulnerability that can be exploited to target Web users

Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.

The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.

The vulnerability was unusual because fixing it didn't just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.

According to an Adobe tech note at the time, all Web-based Flash applications compiled with Flex 3.x and some built with Flex 4.5 were vulnerable. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't.

Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers.

SOP prevents scripting content loaded from one website -- or an origin -- from affecting the content of another website. For example, a script hosted on website X that's loaded by website Y in an iframe should not be able to read sensitive content about the other site's visitors, like their authentication cookies. Neither should website Y be able to obtain information about users of website X by simply loading a resource from it.

Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.

According to Carettoni and Gentile, the Flex vulnerability makes such attacks possible. It also allows a malicious website to load a vulnerable SWF file from a target website and then execute unauthorized actions on behalf of that site's users when they visit the malicious Web page.

They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.

However, judging by the situation found on high-profile websites, a large number of other sites are likely also hosting similarly vulnerable SWF files.

"There are still many more websites that are hosting vulnerable SWF files out there," the two researchers said in a blog post. "Please help us making the Internet a safer place by reporting vulnerable files to the respective website's owners."

The researchers released their SWF test tool, which is called ParrotNG and is written in Java, on GitHub.

If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions, they said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetysecurityAdobe SystemsLinkedInAccess control and authenticationExploits / vulnerabilitiesMinded Security

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments