advertisement
Facebook
X
LinkedIn
WhatsApp
Reddit

“Rosetta Flash” flaw leaves Adobe Flash vulnerable to attacks

Adobe has issued a warning that those who make use of its Flash Player (v. 14.0.0.145) should immediately update the application. It said that a vulnerability has been discovered that could allow attacks to take control of a PC.

“Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” it said in a blog post.

According to its website, Flash Player currently has a rating of Priority 1, which is the highest rating it can assign to an update.

Priority 1 means “This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible (for example, within 72 hours).”

Adobe AIR, Adobe AIR SDK and Compiler, and Adobe AIR SDK have a rating of Priority 3, which is slightly less urgent than Flash Player, but still pretty serious. Priority 3 is “a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

The exploit was discovered by Google Engineer Michele Spagnuolo by using his exploit tool called Rosetta Flash.

Rosetta Flash specifically targets one particular feature within Flash.

“(It is) a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site,” Spagnuolo detailed in a blog post.

Sites like Twitter, Microsoft, Google and Instagram make use of the application, and have said to have already patched their websites.  If you are using Google’s Chrome browser or Internet Explorer 10 or 11, you browser should update to the latest version automatically, without you having to do anything. But if you make use of Mozilla’s Firefox browser, it would be a good idea to head on over to Adobe’s site and grab the update.

Spagnuolo said that the issue have been well-known in the industry, but nobody has done anything about it – until now.

“This is a well-known issue in the information security community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.”

[Source – Adobe, Via Ars]

advertisement

About Author

advertisement

Related News

advertisement