A four year old Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the world, which threatens the integrity of the businesses behind these sites.
According to the researchers who reported the problem, Shockwave Flash files compiled by the vulnerable Flex software development kit remain exploitable in fully updated Web browsers and Flash plugins.
Flex (formerly Adobe Flex, now Apache Flex), is an SDK for the development and deployment of cross-platform rich Internet applications based on the Adobe Flash platform.
It was initially developed by Macromedia and then acquired by Adobe Systems; in 2011 Adobe donated Flex to the Apache Software Foundation in 2011. The last version by Adobe is 4.6.0; the current version is 4.14, released by Apache on January 28th, 2015.
"Indirect" SOP bypass, data stealing and actions forging with a four years old vulnerability: CVE-2011-2461 is back! http://t.co/NzGVkP0IfX
— Luca Carettoni (@lucacarettoni) March 19, 2015
Luca Carettoni is a security researcher with LinkedIn, and he is one of the authors of the research on Flex vulnerability. Along with limited details for it, they have released mitigated information. Full disclosure is to follow.
Old bug’s reminiscences: a 4 y.o. Adobe patch proved incomplete #securityTweet
Adobe states it has released the fix tool for the problem with the Flex application back in 2011.
Nature of the bug
The vulnerability in question is CVE-2011-2461. If properly exploited, the bug could allow an attacker to steal information from affected systems through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page.
In other words, the researchers say, hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass in fully patched web browsers and plugins.
In practice this means, according to the researchers, that it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker. And since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data. The sort of data attackers are definitely after.
Potential mitigations include recompiling Flex SDKs along with their static libraries, patching with the official Adobe patch tool released back in 2011 and simply deleting them if they are not used.
Not the first time
That’s definitely not the first time when some serious vulnerabilities appear to be underpatched. Earlier this month it’s become clear that a five-year-old patch for a vulnerability CVE-2010-2568 exploited by Stuxnet was incomplete and machines have been exposed since 2010. It is unknown whether there have been public exploits of patched machines, but it doesn’t cancel the risk.
Last year we all witnessed the two-act drama titled “Patch the Shellshock”: the first attempts to fix the dreaded flaw proved to be botched, so eventually there were as many as four CVE entries regarding the same problem.
Incomplete patches are as bad as no patches at all. Or even worse #securityTweet
Mispatching and underpatching is especially dangerous. The initial update draws a lot of attention and once it is out, it is likely that a large number of IT workers will take measures immediately (or at least within some reasonable timeframe). And then think they are safe.
But if the patch appears incomplete and requires patching itself, chances of immediate action get diminished. Not everyone will know about its incompleteness, and those who will, may think, “who knows how many “re-patchings” it will require, let’s wait until there is a final update that is working”. So the systems may remain vulnerable and attackable for a longer timeframe than they should.
And all in all patching is a sort of a game of chance. It is imperative to keep your software up to date and know about all serious vulnerabilities that can threaten your network and software, but it doesn’t guarantee safety on its own. Unless you have a multilayered defense set up that can cope even with yet-unknown threats, your security cannot be called reliable.