UPDATE: This article has been updated to add commentary and clarification from Adobe.
A four year old Adobe Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the world.
LinkedIn security researcher Luca Carettoni and Mauro Gentile, a security consultant at Minded Security, presented their findings showing that Shockwave Flash files compiled by the vulnerable Flex software developers kit remain exploitable in fully updated Web browsers and Flash plugins.
"Indirect" SOP bypass, data stealing and actions forging with a four years old vulnerability: CVE-2011-2461 is back! http://t.co/NzGVkP0IfX
— Luca Carettoni (@lucacarettoni) March 19, 2015
An Adobe spokesperson told Threatpost that the company has been aware of the Flex application problem and released a tool fixing the problem in 2011.
The researchers released partial details for the vulnerability along with mitigation information. They plan to release the full details of the bug and some proof-of-concept exploit in the near future, once they are confident there is a better understanding of the bug within the general public. Carettoni and Gentile have already informed the maintainers of popular websites affected by the vulnerability, and Adobe.
If properly exploited, the bug could allow an attacker to steal information from affected systems through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page.
In other words, the researchers say, hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass in fully patched web browsers and plugins.
“Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the pair of researchers said in a blog post. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”
Potential mitigations include recompiling Flex SDKs along with their static libraries, patching with the official Adobe patch tool released back in 2011 and simply deleting them if they are not used.
You can find Carettoni and Gentile‘s analysis on their respective sites, though these are reposts, so both reports contain the same content. Their slide’s are embedded below: