A four year old Adobe Flash vulnerability (CVE-2011-2461) may have not received a proper patch, allowing attackers the ability to still exploit the bug almost half a decade later, which is said to affect some 30 percent of the worlds top 10 most popular websites.
Application security researchers, Luca Carettoni of LinkedIn and Mauro Gentile of MindedSecurity presented their latest findings online, detailing that Shockwave Flash files complied by the vulnerable version of the Flex software developers kit remain exploitable, even with the latest web browser and Flash plugin updates.
Carettoni and Gentile have released minimal details regarding the Flash vulnerability, included in their lack of details is a mitigation guide, a step-by-step guide webmasters can follow to ensure their site is not vulnerable. Both researchers plan to release full details regarding their findings alongside a proof-of-concept exploit in the near future, once they believe there is a better understanding of the bug within the public eye.
The two researchers have already informed the popular websites utilizing the vulnerable four year old version of Flash, including the Adobe company themselves.
Researchers found through their testing, if exploited properly, the bug can allow an attacker to steal information from vulnerable systems through a same-origin request-forgery. The system can then be abused to perform actions of behalf of the attacker, again by performing a cross-site forgery request.
For attackers to successfully trigger the vulnerability, they must trick victims into visiting a maliciously crafted webpage, where attackers can then exploit the four year old Flash vulnerability.
The researchers have said hosting a vulnerable .SWF file could lead to an “indirect” same-origin-policy bypass even in fully patched browsers and plugins.
“Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the two security researchers said in a blog post disclosing their findings. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”
Three mitigation steps as detailed in their mitigation guide include recompiling them in the latest Apache Flex SDK along with their static libraries, patching it with the official Adobe patch tool or deleting the files as they are not being used.
Carettoni and Gentile published their findings on both their blogs, detailing the issue in the 43 slides found below:
Adobe did not yet comment on the state of the four year old flash vulnerability but will likely be pushing a patch to address the blunder.