Application security researchers have found that a four year old Adobe Flash vulnerability (CVE-2011-2461) may have not received a proper patch which allowed attackers to still exploit the bug almost half a decade later. The bug is likely to affect some 30 percent of the world’s top 10 most popular websites. Application security researchers, Luca Carettoni of LinkedIn and Mauro Gentile of MindedSecurity presented their latest findings online, detailing that Shockwave Flash files complied by the vulnerable version of the Flex software developers kit remain exploitable, even with the latest web browser and Flash plugin updates. The two researchers have already informed the popular websites utilizing the vulnerable four year old version of Flash, including the Adobe company. Researchers found through their testing, if exploited properly, the bug can allow an attacker to steal information from vulnerable systems through a same-origin request-forgery. The system can then be exploited to perform actions on behalf of the attacker, again by performing a cross-site forgery request.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street