Microsoft, Adobe roll out critical security patches to plug Rosetta Flash threat

Adobe and Microsoft released their latest security updates to patch a vulnerability that attackers can potentially exploit to extract users' log-in information in some of the world's most popular websites, including Google's websites, eBay, Twitter, Tumblr and Instagram.

The updates were issued in response to the threat posed by CVE-2014-4671, a problem long known in the information security community but has been addressed only recently due to the lack of proof of concept.

Google security engineer Michele Spagnuolo, who works at the company's Zurich headquarters, was able to develop Rosetta Flash, a tool that can be used to create malicious ShockWave Flash (SWF) files that can exploit CVE-2014-4671 and carry out commands to obtain a user's private information.

Rosetta Flash converts a binary SWF file, one that contains only 1 and 0 for its characters, into an alphanumeric file that can exploit websites that use a technique known as JSONP, which allows web browsers to obtain data hosted on a server in a different site. Normally, this isn't possible because of the Same Origin Policy, but Flash bypasses this policy to allow cross-site requests. As a result, an attacker can embed a malicious SWF file on a website to obtain authentication cookies left by users visiting that website.

"With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it with no crossdomain.xml check," explains Spagnuolo in a blog post. "This is why allowing users to upload a SWF file on a sensitive domain is dangerous; by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled domain."

Spagnuolo first alerted his superiors at Google, which released fixes for its services, including YouTube and its umbrella login service Google Accounts, before communicating with Adobe's Product Incident Response Team. Twitter and Tumblr also announced that they have put fixes in place.

Adobe's update contains three Flash fixes, which include "additional validation checks" so that Flash "rejects malicious content from vulnerable JSONP callback APIs."

Microsoft also released a massive update for Internet Explorer, which contains 24 fixes that address remote code execution vulnerabilities that allows attackers to obtain access to users' computers by duping them into visiting an affected website. The update, named MS-14-037, also includes security patches that address a weakness in the way IE performs Extended Validation SSL certificates.

Wolfgang Kandek, chief technology officer of Qualys, recommends that users and server administrators download the latest Flash updates immediately. Users of Google Chrome, IE10 and IE11, however, don't have to do anything as Google and Microsoft will update their Flash browser plugins automatically.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics