Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.
The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.
The vulnerability was unusual because fixing it didn’t just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.
According to an Adobe tech note at the time, all Web-based Flash applications compiled with Flex 3.x and some built with Flex 4.5 were vulnerable. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn’t.
Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers.
SOP prevents scripting content loaded from one website—or an origin—from affecting the content of another website. For example, a script hosted on website X that’s loaded by website Y in an iframe should not be able to read sensitive content about the other site’s visitors, like their authentication cookies. Neither should website Y be able to obtain information about users of website X by simply loading a resource from it.
Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.
According to Carettoni and Gentile, the Flex vulnerability makes such attacks possible. It also allows a malicious website to load a vulnerable SWF file from a target website and then execute unauthorized actions on behalf of that site’s users when they visit the malicious Web page.
They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
However, judging by the situation found on high-profile websites, a large number of other sites are likely also hosting similarly vulnerable SWF files.
“There are still many more websites that are hosting vulnerable SWF files out there,” the two researchers said in a blog post. “Please help us making the Internet a safer place by reporting vulnerable files to the respective website’s owners.”
The researchers released their SWF test tool, which is called ParrotNG and is written in Java, on GitHub.
If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions, they said.