FYI...Adobe Flex SDK security update available
CVE number: CVE-2011-2461
Platform: Windows, Macintosh and Linux
November 30, 2011 - "... An important
vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:
All Web-based (-not- AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A and 3.6) may be vulnerable.
Web-based (-not- AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.
Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable. To determine whether an application is vulnerable, customers should use the SWF patching tool described in the tech note*.
This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software
, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined
in the tech note* ..."
Release Date: 2011-12-01
Impact: Cross Site Scripting
Where: From remote
CVE Reference: CVE-2011-2461
Original Advisory: Adobe (APSB11-25):http://www.adobe.com/support/security/bulletins/apsb11-25.htmlhttp://kb2.adobe.com/cps/915/cpsid_91544.html
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2461
Date: Dec 1 2011
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Adobe Flex application, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix. The vendor recommends that users verify their SWF applications to ensure they are not affected.
The vendor's advisory is available at:http://www.adobe.com/support/security/bulletins/apsb11-25.html