Jump to content
Aerosol

Adobe CVE-2011-2461 Remains Exploitable Four Years After Patch

Recommended Posts

flash_zero_day-680x400.jpg

A four year old Adobe Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the world.

LinkedIn security researcher Luca Carettoni and Mauro Gentile, a security consultant at Minded Security, presented their findings showing that Shockwave Flash files compiled by the vulnerable Flex software developers kit remain exploitable in fully updated Web browsers and Flash plugins.

The researchers released partial details for the vulnerability along with mitigation information. They plan to release the full details of the bug and some proof-of-concept exploit in the near future, once they are confident there is a better understanding of the bug within the general public. Carettoni and Gentile have already informed the maintainers of popular websites affected by the vulnerability, and Adobe.

If properly exploited, the bug could allow an attacker to steal information from affected systems through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page.

Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker

In other words, the researchers say, hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass in fully patched web browsers and plugins.

“Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the pair of researchers said in a blog post. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”

Potential mitigations include recompiling Flex SDKs along with their static libraries, patching with the official Adobe patch tool and simply deleting them if they are not used.

You can find Carettoni and Gentile‘s analysis on their respective sites, though these are reposts, so both reports contain the same content. Their slide’s are embedded below:

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...