Flash-Based Vulnerability Lingers On Many Websites, Three Years Later 42
itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
Re: (Score:2)
Agreed. Flash really should apply the patch, and if it fails, it should refuse to load the Applet.
Re: (Score:2)
Re: (Score:2)
If the browser is downloading the Flash files, why doesn't it apply the patch/fix prior to the Flash plugin executing them?
And why a browser should cope with 3rd party crap like Flash?
Re: (Score:1)
Re: (Score:2)
--
Whatever doesn't kill you, makes you stronger.
What's the exploit vector here? (Score:5, Interesting)
None of the pages about this bug—not the article, not the CVE, and not the Adobe explanation—tell what the actual attack vector is. They just say that they're vulnerable to XSS. Does that mean that the Flash code can be used on somebody else's domain? Does it mean that the Flash code can in some way be tricked into loading content from the wrong domain on behalf of page JavaScript? If so, and if Flash code uses only non-hardcoded URLs, does that mitigate the problem?
The thing is, even if you got rid of all the insecure Flash applets out there, a malicious person could still host one somewhere. So depending on the nature of the attack, the only real way to fix it might be for Flash to deliberately break every Flash applet linked against the old SDK. If the attack is dependent upon the flash being hosted from the same domain as the content you're trying to steal (e.g. cookies), then the right way to fix it is for web developers to eradicate Flash from their websites.
Re: (Score:2)
I hereby propose to rename it "Software As a Disservice", or "SAD".
Re: (Score:2)
Mod parent up.
Re: (Score:1)
I found the patch tool here: http://kb2.adobe.com/cps/915/c... [adobe.com]
Is this vulnerability really corrected? (Score:3)
If a malevolent SWF file could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?
Re: (Score:2)
could be copied and hosted elsewhere, how could Adobe reasonably claim to have corrected the vulnerability at all?
Think of it the same as if GCC had a bug that caused it to generate machine language code containing a vulnerability, when you were compiling a project. The bug was fixed, but all binaries previously compiled are vulnerable until rebuilt using a version of the compiler after the bugfix was made.
The vulnerability is a same-origin policy violation affecting only the site that hosts the SWF fi
Re: (Score:1)
Do as we say... (Score:4, Insightful)
They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites.
Talk about not dogfooding.
So? (Score:2)
Client Server technology has always had a problem where the client must trust the server. Adobe could have done better with Flash, but compromised security for flexibility. Exactly what every Bank I know of has done, and insurance company, and government agency, and department store, etc.. etc... etc...
If you are worried, don't download content you don't trust. It's not an absolute fix, because malicious files could still be uploaded to Facebook and Youtube. That said, I doubt your world will end when y
disable flash! (Score:4, Insightful)
there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.
if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.
Re: (Score:2, Troll)
those that haven't switched to html5 yet will do so soon enough.
What about IE6 users, you insensitive clod
Re: (Score:2)
On Win8, Chrome and IE have Flash built-in. Flash updates have become an issue only on Firefox, and even there you can make Flash "ask to activate," and Mozilla central blocks outdated versions. On Win7 you still have to update Flash for IE as well as Firefox.
I guess everyone using a browser knows this, but hasn't deemed it worthwhile to respond to these comments apparently from some archived library of ranting. Or you're on Linux or Apple! I don't know how it works there.
Re: (Score:2)
More accurately, disable the Java plugin if you have Java installed for other purposes.
Re: (Score:1)
The fix is simple. Remove Flash from your system.
kill it (Score:3)
when can we go from slowly transitioning from flash to html5, to actively and aggressively killing flash as a policy initiative coordinated among major websites?
i think a cost/ benefit analysis presentation to the right corner office could get this ball rolling
Re: (Score:2)
When can we go back to text-based browsing and work on aggressively killing this Javascript and graphic Images stuff?
Re: (Score:2)
i think we should roll up paper and put them in tubes and send them around via pipes
Bah ... (Score:2)
Flash has been in a perpetual state of vulnerable for, what, almost years now?
Every 2-3 months for that entire time, Flash has had yet another security hole in it.
So, I'll continue to leave it disabled in my browsers. About 3 time per year I cave and fire up an IE which has it enabled because someone in HR still insists on something I must use it for.
But, seriously, Flash should be killed off. It's terrible. It's always been terrible. And it's not showing any signs of not being terrible.
It serves ads, a