The Resurrection of CVE-2011-2461

Security researchers Luca Carettoni and Mauro Gentile recently found during their research that even though Adobe has fixed an old vulnerability found in 2011 (CVE-2011-2461), its side effects still linger around the Internet. Your favorite websites might still be affected by this bug.

They have shared great details in their blog post. Let’s take a quick look at the issue and how the vulnerability impacts both site owner and end users.

What’s the issue?

The vulnerability was in the Adobe Flex SDK, which is used to create Internet applications based on Flash (it is now owned by the Apache Software Foundation). Users who don’t typically read the fine print or the gory details probably thought patching the Flex SDK put an end to the issue. However, that was just part of it. Other departments aside from IT had to act on it as well. Application/website developers also had to review the Flash files they were hosting. Let’s take a closer look at the Adobe advisory:

An important vulnerability has been identified in the Adobe Flex SDK … This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends … update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note linked in the “Solutions” section below.

Adobe clearly recommends that users update their Flex SDK, and check any SWF in their applications that may be vulnerable and fix them too. The issue is that an unpatched Flex SDK would produce Flash files that are vulnerable, and these vulnerable Flash files could be used to launch a Same-Origin Request Forgery attack on another site.

In simpler terms, a user could be forced to visit a malicious site, which would eventually load the vulnerable Flash file from a good site and steal the user’s cookies and data for that good site.

How can an attacker take advantage of this vulnerability?

If an attacker can convince you to click on a link to his malicious site, they can force you to load a vulnerable Flash file from the victim site (the site you trust, but is hosting a vulnerable Flash file) after loading a Flash object from his malicious site. Due to a bad check for origin rule this (vulnerable) Flash allows for cross domain “interaction” with the malicious site.

Carettoni and Gentile noted: “Practically speaking, it is possible to force the affected Flash movies to perform same-origin requests and return the responses back to the attacker. Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”

How am I affected by this vulnerability?

You can be affected either as a web site owner and an end user. As a website owner, your users can be exploited. Their session cookies and anti-CSRF tokens can be stolen, and as a site owner, you will be liable for the consequences. As an end user, you suffer from the same issues and someone can impersonate you and carry out transactions on your behalf.

Note that the version of Flash Player you are using doesn’t matter. It’s all about the Flash file itself being vulnerable.

What are the recommended actions?

As a website administrator you may opt to scan your web servers for Flash files using the ParrotNG tool. If you do have vulnerable files, you have two options:

  • Recompile your Flash files using a patched version of Adobe Flex.
  • If you don’t wish to recompile these files, use the Adobe-provided tool to patch the vulnerable SWF files.

Adobe’s tool can also be used as an alternative to the ParrotNG one.

There is no action for end users that is specific to this problem. In general, they should use the same techniques used to avoid becoming a victim of malicious sites in general – be careful about what links you click. Be watchful of the links you receive via social media and chat, and consider disabling Flash altogether.

Trend Micro Deep Security and Vulnerability Protection customers are protected by the following rule.

  • 1004866  – Flash Authoring Flex SWF Files XSS

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

The Resurrection of CVE-2011-2461

Read more: The Resurrection of CVE-2011-2461

Story added 31. March 2015, content source with full text you can find at link above.