Flash Patched After Rosetta Exposes Serious Vulnerability

Internet users are being urged to patch their web browsers as soon as possible after the discovery of a new “weaponised exploit” in Adobe’s Flash player.

The issue should not affect users of Google’s Chrome or Microsoft Internet Explorer (10 and 11), but users of the older versions of IE, Mozilla Firefox, Apple Safari and Opera should immediately download the latest patch from Adobe.

Rosetta Flash

The vulnerability was discovered by Google security engineer Michele Spagnuolo, who is based in Switzerland.

Spagnuolo apparently informed Adobe of the vulnerability, and they rapidly issued an updated version of Adobe Flash Player. He also informed Google, YouTube, Twitter, Instagram, Tumblr and eBay, as their domains are thought to be vulnerable to this exploit.

adobe-flash“I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site,” wrote Spagnuolo. “This is a CSRF bypassing Same Origin Policy.”

“High profile Google domains (accounts.google.com, www.books., maps., etc.) and YouTube were vulnerable and have been recently fixed,” wrote Spagnuolo. “Twitter, Instagram, Tumblr, Olark and eBay still have vulnerable JSONP endpoints at the time of writing this blog post.

Adobe, Google and Twitter have apparently responded and issued fixes. Spagnuolo will present his Rosetta Flash research in October at the Hack In The Box conference in Malaysia.

“Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain,” wrote Spagnuolo.

Update Now

Adobe has released a new version of Flash Player, and it’s important that everyone with a vulnerable computer applies the update at the earliest opportunity,” wrote security pundit Graham Cluley.

Cluley also warned people to be aware that Adobe is trying to “foist on users” the McAfee Security Suite, when they download the updated Flash player.

“It’s the kind of dirty trick that you would expect from a scam site, and it’s always disappointing to see the likes of Adobe and McAfee attempting it too,” he wrote.

Are you a security expert? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago