Yahoo! experts warn users that a SWF security hole exists in Yahoo! User Interface Library (YUI) 2.
According to a post
published on the YUI Blog, the vulnerability affects self-hosted YUI 2 SWF files, but customers of YUI 3 and those of YUI 2 via yui.yahooapis.com or a different CDN are not affected by the flaw.
No other details are provided, but engineers advise the owners of projects that host YUI 2 SWF files on their own servers to email them at email@example.com for support and more information.
The H Security believes
that the vulnerability might have something to do with the SWFStore class, which supports the persistence of data utilizing Flash Player.
In the meantime, customers don’t seem to be too pleased by the fact that the developers have decided to keep the details of the vulnerability to themselves.
“You haven’t created a meaningful barrier for malicious people; you’ve only made it harder for people who are legitimately affected by this issue to get the information they need to fix it,” one unhappy customer wrote.