Security Announcement: SWF Vulnerability in YUI 2

By Andrew WooldridgeOctober 30th, 2012
Update: Additional information is available about this issue.

We have identified a security vulnerability on self-hosted YUI 2 SWF files.
* Users of YUI 2 via http://yui.yahooapis.com or another CDN are not affected by this issue.
* Users of YUI 3 are not affected by this issue. Any project that hosts YUI 2 SWF files (any version from 2.4.0 through 2.9.0) on its own servers should email us right away at

security (at) yuilibrary.com for more information and support.

Note: This vulnerability is also listed under CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883.

8 Comments

  1. I know that dealing with a security vulnerability is tricky and often stressful, and I absolutely sympathize, but obscuring the details of the vulnerability and the mitigation steps by asking people to email you for more information is counterproductive, and creates the impression that you’re trying to hide something.

    There is value in quietly reaching out to users who you know are likely to be affected before you go public. But there is no value in going halfway public like this.

    It may seem like this is a way to protect potentially affected users by limiting who knows the details of the vulnerability, but it isn’t. Anyone who wants that information can email security@yuilibrary.com to get it. You haven’t created a meaningful barrier for malicious people; you’ve only made it harder for people who are legitimately affected by this issue to get the information they need to fix it.

    Please do the right thing and publish the details and mitigation steps for this vulnerability. And once they’re public, please tweet and blog about them to ensure that as many people as possible are aware of the issue. That’s the responsible thing to do, even though it can be embarrassing.

  2. It would be good to remove Ryan’s comment too, it is not adding value either and making things worse.

  3. @Manuel: I’m not sure how asking for responsible public disclosure of a security vulnerability in an open source project makes anything worse.

  4. @Ryan, sorry for how I said what I said, you are a brilliant developer and your observations are pretty much always right on the spot, it is the style and tone that sometimes could cause the wrong impression, and this is what – imho – I saw here and felt compelled to say something. As I said, I believe you’re right, but I am a front-end architect at a very large financial company that uses YUI, and somebody could get the wrong impression and spark the wrong conversations by getting caught on the form rather than the contents of your comment. I was one of those people that got a personal call many weeks ago to notify me of this vulnerability, and I got all the details I needed and truly appreciated the call. I think your point is that everyone should get the details, and that is absolutely right, but the YUI team is trying very hard like everyone else and it would have been better – again imho – to say what you rightfully meant to say, but in a different way or perhaps in a different forum. All my respect to you.

  5. @Manuel: If my tone seemed wrong, I apologize. I tried to criticize constructively and politely, but if it didn’t come across that way, then I failed.

    I also was contacted personally several weeks ago and notified of this vulnerability, and that was something I appreciated greatly. That was a responsible and helpful move on YUI’s part. However, this semi-public disclosure was not.

    I speak from experience, having been the YUI team’s dedicated Paranoid (Yahoo! slang for someone who’s responsible for dealing with security-related matters) when I was at Yahoo!. I’m not being critical out of a desire to hurt or embarrass YUI — exactly the opposite. I know that the YUI team has the best intentions, but I also know that not everyone in the world knows that, and to an outside observer, this blog post (and the complete lack of any public messaging outside of this blog post) looks very much like an attempt to sweep this issue under the rug.

    When I was on the team, several of us worked together to draft YUI’s security policy, which you can read at http://yuilibrary.com/security/. That policy promises prompt disclosure of security issues once a resolution is available. This blog post announces an issue, but neither provides the resolution (even though one is available and has been provided to people privately) nor discloses the details of the problem.

    YUI is an open source project, and relies on participation and feedback from its users and contributors. In return, its users and contributors rely on transparency and openness from the project’s leadership. In this case, I feel there has been a lack of transparency, and I’ve tried to provide constructive criticism and suggestions to improve the situation.

  6. @Ryan, from the beginning you have been making a very good point, and I know our brief interaction will help the YUI team to do better next time or even improve this time. Well said things always inspire listening.

  7. [...] this week we announced a security vulnerability in YUI 2. You can expect more details to be released on this issue in the [...]

  8. This issue has been assigned CVE-2012-5475, as per http://www.openwall.com/lists/oss-security/2012/11/05/9.