Pierluigi Paganini March 24, 2015

Security experts discovered that the Adobe CVE-2011-2461 vulnerability is exploitable by at least four years despite the company has issued a patch.

Four years ago Adobe released a patch for the vulnerability CVE-2011-2461 that was affecting the Adobe Flex SDK 3.x and 4.x. The flaw was a cross-site scripting (XSS) vulnerability that allowed remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.

Four years later we find that the patch issued by Adobe did not fix the vulnerability in Flex application, this means that attackers can still exploit the flaw.

The security researchers Luca Carettoni and Mauro Gentile, respectively from LinkedIn and Minded Security, demonstrated that Shockwave Flash files compiled by a vulnerable Flex software developers kit is still exploitable in fully updated Web browsers and Flash plugins.

“As part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a known vulnerability (CVE-2011-2461), already patched by Adobe in apsb11-25.” reported a blog post on NibbleSecurity.

The researchers released partial details about the vulnerability along with the indications to mitigate the risk of exposure to cyber attacks. The experts will release full details about the Adobe vulnerability in the next months, probably after that the company will provide a new patch to fix the problem. The two researchers also plan to release some proof-of-concept exploit to demonstrate the efficiency of their findings.

By exploiting the flaw, the attackers can steal sensitive information through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page.

In a typical attack scenario, the attackers lure victims into visiting a specifically crafted Web page, for example a page hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass, even if the victim’s browser and plugins are fully patched.

The researchers conducted a large-scale scan to locate SWFs hosted on popular websites and used a custom-developed tool, the Java-based tool dubbed ParrotNG, capable of detecting vulnerable code patterns.

According to Carettoni and Gentile the vulnerability currently affects nearly 30 percent of Alexa’s top 10 most popular websites, their administrators were already informed about the flaw.

In order to mitigate the flaw, the researchers suggest to recompile Flex SDKs along with their static libraries, patching with the official Adobe patch tool and simply deleting them if they are not used.