Flash-Based Vulnerability Lingers On Many Websites, Three Years Later

itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.

What's the exploit vector here?

[dgatwood]

None of the pages about this bug—not the article, not the CVE, and not the Adobe explanation—tell what the actual attack vector is. They just say that they're vulnerable to XSS. Does that mean that the Flash code can be used on somebody else's domain? Does it mean that the Flash code can in some way be tricked into loading content from the wrong domain on behalf of page JavaScript? If so, and if Flash code uses only non-hardcoded URLs, does that mitigate the problem?

The thing is, even if you got rid of all the insecure Flash applets out there, a malicious person could still host one somewhere. So depending on the nature of the attack, the only real way to fix it might be for Flash to deliberately break every Flash applet linked against the old SDK. If the attack is dependent upon the flash being hosted from the same domain as the content you're trying to steal (e.g. cookies), then the right way to fix it is for web developers to eradicate Flash from their websites.