Menu
Flash-based vulnerability lingers on many websites three years later

Flash-based vulnerability lingers on many websites three years later

A large number of developers have failed to patch their Flash applications against a vulnerability that can be exploited to target Web users

Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.

The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.

The vulnerability was unusual because fixing it didn't just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.

According to an Adobe tech note at the time, all Web-based Flash applications compiled with Flex 3.x and some built with Flex 4.5 were vulnerable. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't.

Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers.

SOP prevents scripting content loaded from one website -- or an origin -- from affecting the content of another website. For example, a script hosted on website X that's loaded by website Y in an iframe should not be able to read sensitive content about the other site's visitors, like their authentication cookies. Neither should website Y be able to obtain information about users of website X by simply loading a resource from it.

Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.

According to Carettoni and Gentile, the Flex vulnerability makes such attacks possible. It also allows a malicious website to load a vulnerable SWF file from a target website and then execute unauthorized actions on behalf of that site's users when they visit the malicious Web page.

They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.

However, judging by the situation found on high-profile websites, a large number of other sites are likely also hosting similarly vulnerable SWF files.

"There are still many more websites that are hosting vulnerable SWF files out there," the two researchers said in a blog post. "Please help us making the Internet a safer place by reporting vulnerable files to the respective website's owners."

The researchers released their SWF test tool, which is called ParrotNG and is written in Java, on GitHub.

If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions, they said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags LinkedInonline safetyAdobe SystemsAccess control and authenticationExploits / vulnerabilitiesMinded Security

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments