|Flash Player ActiveX Control for Internet Explorer
|Adobe Flash Player 18.104.22.168 and earlier, 22.214.171.124 and earlier, and 126.96.36.199 and earlier.
|Adam Barth and Collin Jackson, Stanford University
The specific flaw exists in the Flash Player ActiveX Control's
handling of the
navigateToURL API, which takes two
arguments, a URL and the name of the frame to be navigated. The SWF
movie can pass in a
frame on some other domain. The code in the URI executes in the
security context of the named frame, rather than the security context
of the SWF movie or the page that embeds it.
If you are using Internet Explorer and have a vulnerable version of Flash Player installed, this demo will alert you with the target URL's cookie and content.Flash source