Menu
Flash-based vulnerability lingers on many websites three years later

Flash-based vulnerability lingers on many websites three years later

A large number of developers have failed to patch their Flash applications against a vulnerability that can be exploited to target Web users

Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.

The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.

The vulnerability was unusual because fixing it didn't just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.

According to an Adobe tech note at the time, all Web-based Flash applications compiled with Flex 3.x and some built with Flex 4.5 were vulnerable. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't.

Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers.

SOP prevents scripting content loaded from one website -- or an origin -- from affecting the content of another website. For example, a script hosted on website X that's loaded by website Y in an iframe should not be able to read sensitive content about the other site's visitors, like their authentication cookies. Neither should website Y be able to obtain information about users of website X by simply loading a resource from it.

Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.

According to Carettoni and Gentile, the Flex vulnerability makes such attacks possible. It also allows a malicious website to load a vulnerable SWF file from a target website and then execute unauthorized actions on behalf of that site's users when they visit the malicious Web page.

They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.

However, judging by the situation found on high-profile websites, a large number of other sites are likely also hosting similarly vulnerable SWF files.

"There are still many more websites that are hosting vulnerable SWF files out there," the two researchers said in a blog post. "Please help us making the Internet a safer place by reporting vulnerable files to the respective website's owners."

The researchers released their SWF test tool, which is called ParrotNG and is written in Java, on GitHub.

If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions, they said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityLinkedInonline safetyAdobe SystemsAccess control and authenticationExploits / vulnerabilitiesMinded Security

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments