The air app published to find and resolve this issue _does_ accept -check
and -patch command-line options. These options are not documented.
We have checked our source tree with a bash script similar to:
#!/bin/bash
patcher=/Applications/Adobe/APSB11_25_Patch_Tool.app/Contents/MacOS/APSB11_25_Patch_Tool
find `pwd` -name "*.swf" -exec echo processing {} \; -exec $patcher -check
{} \;
find `pwd` -name "*.swf.log" -exec cat {} \; | grep -B 2 "Patch recommended"
Note that when the tool is used on the command-line, it writes its output
to [name of swf].log. This file can be analyzed to drive patching of swfs.
Regards,
Stephen
On Mon, Dec 5, 2011 at 3:34 PM, Stephen Kuenzli <[email protected]> wrote:
> A couple of questions:
> Does anyone have details on this issue?
> The security bulletin and top links in Google don't describe details of
> the vulnerability. We are trying to determine our exposure.
>
> Is there a continuous integration / command-line friendly way to use the
> patch tool?
> We _might_ consider cooking up our own based on the description of the air
> app's operation "Also note that the SWF-patching tool works by searching
> for a known byte sequence in a particular area of the SWF file," but we'd
> rather use something Adobe published.
>
> Regards,
> Stephen
>
>
> On Mon, Dec 5, 2011 at 5:42 AM, Carsten Schlipf <[email protected]
> > wrote:
>
>> Adobe has published a security bulletin:
>> http://kb2.adobe.com/cps/915/cpsid_91544.html
>>
>> *Due to a vulnerability in the Flex SDK, many Flex applications are
>> vulnerable to cross-site scripting (XSS) attacks, and must be patched in
>> order to protect user data.*
>>
>> When will updated SDKs be available in the repository?
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Flex Mojos" group.
>> To post to this group, send email to [email protected]
>> To unsubscribe from this group, send email to
>> [email protected]
>> For more options, visit this group at
>> http://groups.google.com/group/flex-mojos
>>
>> http://flexmojos.sonatype.org/
>>
>
>
--
You received this message because you are subscribed to the Google
Groups "Flex Mojos" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/flex-mojos
http://flexmojos.sonatype.org/
