View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Four-year-old Flash bug returns from the dead

Patch on app development kit did not fix vulnerable software.

By Jimmy Nicholls

A four-year-old Adobe Flex bug has seemingly returned from the dead despite being patched by the company in November 2011, according to security researchers.

The flaw allegedly puts Adobe Flash users at risk of having their data stolen or their systems attacked if they are using a vulnerable app, since hackers can redirect victims to a malicious webpage.

This is said to work if an application was compiled using a older, vulnerable version of the Flex source development kit (SDK), which is used for buildings web apps and was donated to the Apache Software Foundation shortly after Adobe patched this problem.

Mauro Gentile and Luca Carettoni, both security researchers, wrote on a blog: "The particularity of [this bug] CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited.

"As long as the [Flash] file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin."

In effect the attack amounts to a bypass of the same-origin policy, which is supposed to prevent apps from accessing scripts from webpages with different origins in order to protect users.

"Practically speaking, it is possible to force the affected Flash movies to perform same-origin requests and return the responses back to the attacker," the researchers said.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

"Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF (cross site request forgery) tokens and user’s data."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.