Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content.
The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy Westergren Jr., who privately disclosed the issue to Adobe.
Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request, DOM-based XSS attacks modify the DOM environment in the browser used by client-side script, and malicious code affects the execution client-side code contained on a site, according to OWASP.
Westergren said the vulnerability could be exploited to execute malicious JavaScript on affected sites.
“Typically, an attacker would trick a user into clicking on a specially crafted link in order to execute their payload—the risks being theft of cookies or the attacker making other malicious changes to the site.” Westergren said. “After cookies are stolen, an attacker could assume the session of the authenticated victim on the target site, allowing him to perform any actions as that user.”
Westergren said he has reported similar issues in Flash-to-JavaScript communication to a number of vendors, all of which he said he expects will be patched by the end of the month.
Adobe said in its advisory that the vulnerability can be abused in Flash only when debugTracking is enabled; debugTracking is disabled in default configurations, Adobe said. It recommends that developers rebuild their projects with the updated library (4.0.1), which is available in the Analytics Console.
Adobe said that versions 4.0 and earlier are affected by the vulnerability, CVE-2016-1036.
Today’s patch comes two weeks after an emergency Flash Player update on April 7. Adobe rushed a fix for a zero-day vulnerability being exploited in the Nuclear and Magnitude exploit kits to distribute either Locky or Cerber ransomware.
The zero day affected all versions of Flash Player on Windows 10 and earlier; the Flash update also patched two dozen other vulnerabilities; most of the flaws were memory corruption bugs, as well as use-after-free, type-confusion and stack overflows, in addition to a security bypass vulnerability.