Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.
A vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich internet applications in Flash.
According to researchers, the vulnerability allows a malicious website to load a vulnerable SWF file from a target website, and then execute unauthorised actions on behalf of that site’s users when they visit the malicious web page.
If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions, they said.