Patched Adobe Flex vulnerability remains threat to web domains

Known vulnerability CVE-2011-2461, despite being patched, remains a threat to today's websites which host exploitable Flash movies.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered an Adobe Flex SDK compiler vulnerability which, despite being patched in 2011, leaves top websites vulnerable to attack.

On Monday, security researcher Mauro Gentile unveiled on Full Disclosure the existence of the security problem, four years after Adobe patched the issue. CVE-2011-2461, which affects Adobe Flex SDK 3.x and 4.x, allows remote attackers to inject script or HTML via vectors within module loading. The vulnerability, given a medium threat rating by Adobe, means that unless vulnerable Flex applications have been recompiled or patched, they are still exploitable.

As long as the .SWF file was compiled using a vulnerable Flex SDK compiler, hackers can still use this vulnerability against the latest and most up-to-date web browsers and Flash plugins.

The bug allows cyberattackers to steal data via Same-Origin Request Forgery, or perform actions on behalf of a user, through Cross-Site Request Forgery, by asking them to visit a malicious page. A vulnerable Flash movie could be forced to perform these requests and return responses back to an attacker. In older versions of Adobe Flex, compiled .SWF files do not properly validate the security domains of resource modules, leading to these exploits and potentially cross-site scripting (XSS) problems.

"Since HTTP requests contain cookies and are issued from the victim's domain, HTTP responses may contain private information including anti-CSRF tokens and user's data," Gentile says.

Gentile and colleagues conducted a large-scale analysis of the security problem by "locating SWFs hosted on popular websites and analyzing those files with a custom tool capable of detecting vulnerable code patterns," according to the researcher. Gentile says that numerous websites are vulnerable to CVE-2011-2461, including three Alexa Top 100 domains.

"During the past months, we've done our best to privately disclose this issue to some of the largest websites, but we won't be able to reach a broader audience without publicly releasing the technical details. As suggested by the many vulnerable applications that we've encountered, it is clear that CVE-2011-2461 did not raise the adequate level of attention back in 2011. By explaining the potential impact and releasing a tool capable of identifying vulnerable SWF files, we hope to contribute towards eradicating this issue," Gentile said.

The research has been presented at Troopers 2015. Gentile plans to release additional material and real-world case studies against well-known domains in the following few days.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards