Patch on app development kit did not fix vulnerable software.
A four-year-old Adobe Flex bug has seemingly returned from the dead despite being patched by the company in November 2011, according to security researchers.
The flaw allegedly puts Adobe Flash users at risk of having their data stolen or their systems attacked if they are using a vulnerable app, since hackers can redirect victims to a malicious webpage.
This is said to work if an application was compiled using a older, vulnerable version of the Flex source development kit (SDK), which is used for buildings web apps and was donated to the Apache Software Foundation shortly after Adobe patched this problem.
Mauro Gentile and Luca Carettoni, both security researchers, wrote on a blog: "The particularity of [this bug] CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited.
"As long as the [Flash] file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin."
In effect the attack amounts to a bypass of the same-origin policy, which is supposed to prevent apps from accessing scripts from webpages with different origins in order to protect users.
"Practically speaking, it is possible to force the affected Flash movies to perform same-origin requests and return the responses back to the attacker," the researchers said.
"Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF (cross site request forgery) tokens and user’s data."