Adobe flex SDK 4.x & 3.x Cross-Site scripting vulnerability

Hey all,

I came across this in the course of my daily duties and thought I’d share it.  Yeah, I know, there’s millions of vulnerabilities found daily, but I don’t post about them even though I should.  Heck, that’d be my full time job if I did.

Anyhow, this affects Adobe Flex SDK 4.x and 3.x version for Macintosh, Linux and Windows.  It could lead to cross-site scripting in Flex applications.  You’ll need to verify if any of the SWF files in your applications are vulnerable and update any of them using the recommended tools and instructions from Adobe.

The Vulnerability identifier is APSB11-25 and the CVE number for this is CVE-2011-2461.

Here’s the Security Bulletin from Adobe:

An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems. This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions, and the Adobe Flex SDK 3.6 and earlier 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note linked in the “Solutions” section below.

They do mention that the fix will not have any adverse effects on most applications.  But, in my opinion, test before you deploy fully.

Either way, Here’s a .PDF of both the fix and the notice as well as the APSB11-25 Patch tool.



ABSP11-25 Patch Tool

Happy hunting.


~ by Normanomicon on December 1, 2011.

%d bloggers like this: