Adobe Flex Vulnerability That Was Patched In 2011 Still Threatens Websites

Whenever a software flaw is discovered and is then patched, it's not often that we'll ever hear about it again (the exceptions are those that do big damage). It's even more rare when we end up hearing about a "medium" bug again four years later. Such is the case of a vulnerability affecting Adobe Flash (don't act surprised!)

To be more specific, CVE-2011-2461 is tied to Adobe's Flex SDK, which developers can use to compile their Flash project for exporting to an .SWF file. In older versions of Flex (3.x and 4.x), compiled SWF files allow the injection of a script or HTML, which it can pull off through the module loading mechanism.

Adobe Flash Builder

If someone visits a website with an affected SWF file, requests can be issued that get around security checks because, well, there are none. The SWF is supposed to validate the security domains of modules, but doesn't. If the same project is compiled using Adobe Flex 4.6 (or Apache Flex, which has replaced Adobe Flex), the vulnerability will no longer exist in the SWF file.

Despite this bug having been published in 2011, it's still out there in the wild. In his research, Mauro Gentile noted that 3 of the top 100 websites in the world (according to Alexa) include SWF files that have the flaw, although he doesn't mention which ones those are. However, he does say that in the days to come, more details will be released.

Until then, I'll just continue to give an evil eye to Adobe Flash. From a security standpoint, I am not quite sure which is worse: Flash or Java. That'd make for an exciting celebrity death match.