Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

September 2009
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Adobe updates open source Flex for XSS security issue

By Sean Michael Kerner on August 21, 2009 10:19 AM
adobe.jpg
From the 'Busy Times For Adobe Security' files:

Another day, another Adobe security update.

US-CERT warned this morning that there is a security flaw in Adobe's Flex 3.3 SDK and earlier versions.
"This vulnerability may allow an attacker to conduct a cross-site scripting attack," US-CERT warned.
Adobe has a fix available now in the Flex 3.4 SDK, which also includes the latest version of the Flash Player. Adobe updated Flash at the end of July for a critical security issue.

The actual flaw fixed by Adobe is a Cross-Site Scripting (XSS) attack within something known as the Flex SDK express-install templates. Adobe credited Adam Bixby of Gotham Digital Science with discovering and reporting the flaw.
"An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was found in the default index.template.html file of the SDK which is a template used by FlexBuilder to generate the wrapper html for all application files in your project," Bixby wrote in his advisory. "The XSS vulnerability appears to affect all user's that download and utilize this html wrapper."
Flex is Adobe's open source framework for building RIA web applications. The flaw does not affect Adobe's under-development Flex 4 SDK which is still in beta.
"This fix does not apply to Flex 4 projects, as they use the SWFObject templates by default," Adobe wrote in its advisory.
In addition to the Flash and PDF fixes issued at the end of July, this week Adobe also updated its ColdFusion and JRun applications for a series of security vulnerabilities.

The 'funny' thing is that Adobe earlier this year, started on its own Patch Tuesday effort, in an attempt to make updates a monthly ordeal. With this latest set of fixes, it is clear to me that patching every first Tuesday of the month for Adobe, is not going to work.

Adobe is patching its software when it has fixes available. I personally think that is the right approach and the responsible approach. Linux users are used to getting updates all the time, it's time Windows users should too.

I don't have a problem with Adobe updating frequently, actually I'd have more of an issue if they didn't. This way there is at least a sense that when there is an issue, a fix will follow as soon as Adobe can get one out.

| Comments (0) | TrackBacks (0) | Share

0 TrackBacks

Listed below are links to blogs that reference this entry: Adobe updates open source Flex for XSS security issue.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8769

Leave a comment