December 9, 2016

Adobe Fixes Cross-site Scripting Vulnerability in Flex SDK

(LiveHacking.Com) – Adobe has published a security advisory about an “important” vulnerability in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, OS X and Linux. As a result of this vulnerability applications built with the Flex SDK could be open to cross-site scripting attacks.

Adobe are recommending that developers using Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using these instructions.

Which applications are vulnerable?

  • All web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A, and 3.6) are vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5, and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable, except in certain cases that involve the use of embedded fonts.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) will not be vulnerable, but there are rare cases in which they may be vulnerable.
  • Flex applications built using any release of Flex prior to 3.0 are not vulnerable.
  • Flex applications that are AIR-based (not web-based) are not vulnerable.
  • SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable.