Adobe updates open source Flex for XSS security issue

From the ‘Busy Times For Adobe Security‘ files:

Another day, another Adobe security update.

US-CERT warned this morning that there is a security flaw in Adobe’s Flex 3.3 SDK and earlier versions.

“This vulnerability may allow an attacker to conduct a cross-site scripting attack,” US-CERT warned.

Adobe has a fix available now in the Flex 3.4 SDK, which also includes the latest version of the Flash Player. Adobe updated Flash at the end of July for a critical security issue.

The actual flaw fixed by Adobe is a Cross-Site Scripting (XSS) attack within something known as the Flex SDK express-install templates. Adobe credited Adam Bixby of Gotham Digital Science with discovering and reporting the flaw.

“An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was
found in the default index.template.html file of the SDK which is a
template used by FlexBuilder to generate the wrapper html for all
application files in your project,” Bixby wrote in his advisory. “The XSS vulnerability appears to
affect all user’s that download and utilize this html wrapper.”

Flex is Adobe’s open source framework for building RIA web applications. The flaw does not affect Adobe’s under-development Flex 4 SDK which is still in beta.

“This fix does not apply to Flex 4 projects, as they use the SWFObject templates by default,” Adobe wrote in its advisory.

News Around the Web