Adobe Patches Flaw in Flash Library

Monday, April 25, 2016 @ 02:04 PM gHale


Adobe mitigated issues in its Analytics AppMeasurement for Flash library to address a DOM-based cross-site scripting (XSS) vulnerability.

The AppMeasurement for Flash library allows users to collect video viewing activity and forward the data to Adobe’s data collection servers, where it can end up used via Marketing Cloud services.

RELATED STORIES
Adobe Fixes Flash Zero Day
Flash Zero Day Coming Soon
Adobe Patches Security Issues
Adobe to Patch Flaws in Reader, Acrobat

Security researcher Randy Westergren found the library suffers from a DOM-based XSS vulnerability when the debugTracking feature ends up enabled. That would mean the user understands the app because in the default configuration, the feature comes disabled. Adobe officials rated the vulnerability as “important.”

The vulnerability affects AppMeasurement for Flash version 4.0 and earlier on all platforms.

Adobe patched it with the release of version 4.0.1. The company advised users to disable debugTracking immediately and rebuild their projects using the updated library.

“Due to security reasons, we will no longer be distributing an AS2 version of AppMeasurement for Flash. We will continue to support data collection from existing AS2-based projects. However, we highly recommend that customers upgrade their implementations to AS3 and incorporate the latest security features of AppMeasurement for Flash,” the company said.

Adobe said it is not aware of any instances where this vulnerability ended up exploited for malicious purposes.