Old Adobe patch left websites wide open to hacks

Four-year-old patch leaves any Flex app vulnerable

It seems that a four-year-old Adobe patch unwittingly left the door wide open to hackers on apparently three of the world's top ten websites.

Two hackers, Luca Carettoni and Mauro Gentile discovered that the path would allow hackers to steal information and take over user accounts on the unnamed websites. 

Dangerous maintenance

What was the problem apparently? It seems a failed patch, CVE-2011-2461, was issued in 2011. Though meant to fix vulnerable files, it instead left many files open to exploitation. Even modern browsers would be left vulnerable, so long as the website was using the compromised Flex app.

The fix is simple - download the latest Flex SDK and patch it. Any unneeded SWF files should be then deleted. This means though that hundreds of websites needed to be patched as the researchers found in a large-scale analysis of SWFs on popular websites.

It's a little disturbing that a four-year-old patch would be a danger to current websites and it took outside researchers to detect and confirm it. Hopefully Adobe releases its own warning to its users, especially those reliant on Flex to power their websites.

[Source: The Register]