Adobe has patched a security flaw in its Flex SDK product that could lead to cross-site scripting attacks against some applications that were built using the SDK. The vulnerability affects versions 3.6 and below and 4.5.1 and below.
The Flex SDK is a free, open source application framework that Adobe produces to enable developers to write apps across a variety of devices and platforms. Flex can be used with other tools to build apps for iOS, Android, BlackBerry and the Web. The newly patched vulnerability affects the Flex SDK for Windows, Macintosh and Linux.
“An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems. This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions, and the Adobe Flex SDK 3.6 and earlier 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided,” the Adobe advisory says.
Adobe is recommending that Flex users update their vulnerable versions of the framework as soon as possible and then go through the process of determining whether any apps built with those Flex releases are vulnerable. The company has produced a technical note that explains how to check whether apps built with Flex include vulnerable SWF files. Once a user has determined that an app is vulnerable she has two options: repair the app or patch Flex and then rebuild the app.
Adobe’s tech note explains how to perform both actions, if necessary.