This week, two researchers, Mauro Gentile and Luca Carettoni, revealed that an Adobe Flex SDK compiler vulnerability persists, despite being patched four years ago. Unless specifically recompiled or patched, websites using Adobe Flex SDK 3.x and 4.x remain vulnerable to attackers who use vectors within module loading to inject script or HTML. According to the full disclosure report, if the .SWF file was compiled via a vulnerable Flex SDK compiler, hackers are able to exploit the vulnerability, even against the latest and most up-to-date browsers and Flash plugins.Stealing data with Same-Origin Request Forgery or performing actions through Cross-Site Request Forgery, attackers can use this bug to access systems and import malicious code.
Gentile wrote in a public advisory: "Since HTTP requests contain cookies and are issued from the victim's domain, HTTP responses may contain private information including anti-CSRF tokens and user's data.”
"The particularity of CVE-2011-2461,” he continued, “is that vulnerable Flex applications have to be recompiled or patched, even with the most recent Flash player, vulnerable Flex applications can be exploited.”
In a large-scale analysis of the issue, Gentile and Carettoni analysed files located from SWFs that were being hosted on common websites, and using a custom tool, were able to uncover vulnerable code patterns. According to their report, the CVE-2011-2461 vulnerability is widespread among even some high traffic sites.
"During the past months, we've done our best to privately disclose this issue to some of the largest websites, but we won't be able to reach a broader audience without publicly releasing the technical details,” Gentile said of the report's disclosure.
“As suggested by the many vulnerable applications that we've encountered, it is clear that CVE-2011-2461 did not raise the adequate level of attention back in 2011. By explaining the potential impact and releasing a tool capable of identifying vulnerable SWF files, we hope to contribute towards eradicating this issue,” Gentile wrote.
The pair published the ParrotNG tool for system administrators to detect vulnerable files on affected websites and say they will be revealing detailed exploitation steps in the near future. Adobe, meanwhile, published steps to fix the flaw on their security bulliten. "The most reliable way" to repair a vulnerable application, the bulletin advises, is to upgrade to the patched SDKs and rebuild, though the company also provides the "faster, simpler" solution of installing and running their SWF-patching tool, APSB11_25_Patch_Tool.air on the application SWF file.