Old Adobe Flex SDK bug still threatens users of many high-profile sites

An old vulnerability affecting old releases of the Adobe Flex SDK compiler can be exploited to compromise user data of visitors to many popular sites, including three of most visited ones in the world according to Alexa, two researchers claim.

Luca Carettoni, who works in LinkedIn’s security division, and Mauro Gentile, researcher at Minded Security, pointed out that the bug (CVE-2011-2461) has been patched by Adobe in November 2011.

“The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin,” they explained in an post.

And, as it turns out, not all admins have recompiled the vulnerable SWF files.

By using ParrotNG, a tool they have created for automating the identifying of these files, they discovered that numerous websites hosted some and are vulnerable to CVE-2011-2461.

“This vulnerability allows attackers to steal victims’ data (via Same-Origin Request Forgery), or perform actions on behalf of the victim (via Cross-Site Request Forgery), by asking them to visit a malicious web page. Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker. Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data,” they noted.

“Summarizing, hosting vulnerable SWF files leads to an ‘indirect’ Same-Origin-Policy bypass in fully patched web browsers and plugins.”

While they have made available the ParrotNG tool and a PDF with their research to the wider public, they shared PoC exploit code only directly with the security teams of high-profile sites.

They have also set a full disclosure date (but haven’t said what date it is), and in the meantime they are urging ethical-inded hackers to search for websites hosting vulnerable SWF files and warn their owners of the danger.

System administrators can then either delete the vulnerable files if they are not used, recompile them with the latest Apache Flex SDK, or patch them (the process has been detailed by Adobe).

Don't miss