Adobe CVE-2011-2461 flaw is exploitable by 4 years although it was fixed

Security experts discovered that the Adobe CVE-2011-2461 vulnerability is exploitable by at least four years despite the company has issued a patch.

Four years ago Adobe released a patch for the vulnerability CVE-2011-2461 that was affecting the Adobe Flex SDK 3.x and 4.x. The flaw was a cross-site scripting (XSS) vulnerability that allowed remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.

Four years later we find that the patch issued by Adobe did not fix the vulnerability in Flex application, this means that attackers can still exploit the flaw.

The security researchers Luca Carettoni and Mauro Gentile, respectively from LinkedIn and Minded Security, demonstrated that Shockwave Flash files compiled by a vulnerable Flex software developers kit is still exploitable in fully updated Web browsers and Flash plugins.

“As part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a known vulnerability (CVE-2011-2461), already patched by Adobe in apsb11-25.” reported a blog post on NibbleSecurity.

The researchers released partial details about the vulnerability along with the indications to mitigate the risk of exposure to cyber attacks. The experts will release full details about the Adobe vulnerability in the next months, probably after that the company will provide a new patch to fix the problem. The two researchers also plan to release some proof-of-concept exploit to demonstrate the efficiency of their findings.

By exploiting the flaw, the attackers can steal sensitive information through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page.

In a typical attack scenario, the attackers lure victims into visiting a specifically crafted Web page, for example a page hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass, even if the victim’s browser and plugins are fully patched.

“Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the experts explained. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”

The researchers conducted a large-scale scan to locate SWFs hosted on popular websites and used a custom-developed tool, the Java-based tool dubbed ParrotNG, capable of detecting vulnerable code patterns.

According to Carettoni and Gentile the vulnerability currently affects nearly 30 percent of Alexa’s top 10 most popular websites, their administrators were already informed about the flaw.

In order to mitigate the flaw, the researchers suggest to recompile Flex SDKs along with their static libraries, patching with the official Adobe patch tool and simply deleting them if they are not used.

The two researchers have shared the results of their research on their websites, NibbleSecurity [Carettoni] and MINDED SECURITY BLOG [Gentile].

Pierluigi Paganini

(Security Affairs –  Adobe Flex, CVE-2011-2461)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

1 hour ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

12 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

18 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

21 hours ago

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…

23 hours ago

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

1 day ago