Adobe Patches Rosetta Flash Vulnerability

Summary:

  • This vulnerability affects: Adobe Flash Player  14.0.0.125 and earlier, running on all platforms (and Air)
  • How an attacker exploits it: By enticing you to run specially crafted Flash content (often delivered as a .SWF file)
  • Impact: Varies, but in one case an attacker can leverage this flaw to gain access to sensitive content from other web domains you visit.
  • What to do: Download and install the latest version of Adobe Flash Player (version 14.0.0.145 for computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released this week, Adobe announced a patch that fixes three vulnerabilities in Adobe Flash Player 14.0.0.125 and earlier, running on all platforms.

Adobe characterizes two of the vulnerabilities as “security bypass” flaws, and states that attackers could exploit at least one of them to take control of the affected system. However, it’s the third vulnerability that is most interesting and is getting media attention.

A security researcher, Michele Spagnuolo, posted a blog article describing a complex, multi-layered vulnerability called the Rosetta Flash flaw, which involves both the Flash vulnerability, but also depends on JSONP-based web applications. If you’re interested in the intricate technical details of the attack, I recommend you check out the Spagnuolo’s blog post, or presentation. The scope of the vulnerability is a little easier to understand. If an attacker can trick your users into running specially crafted Flash content, he can potentially take advantage of this flaw to steal your user’s information from certain third party domains that use JSONP-based applications. When first discovered, this included domains like Ebay, Tumblr, and some Google applications However, these big companies have since modified their web applications to prevent this flaw.

In any case, Adobe rates these issues as a “Priority 1” issues for Windows and Mac, and recommends you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player (14.0.0.145 for computers) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Chrome and newer versions of IE ship with their own versions of Flash, built-in. If you use them as you web browser, you will also have to update them separately, though both often receive their updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash (and Shockwave) content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Finally, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

8 Responses to “Adobe Patches Rosetta Flash Vulnerability”

  1. And in the course for these analysis, it emerges that
    each dollar spent within the pursuit of the online degree is prone to increase one’s lifetime earnings many times fold.
    This business will likely be operated from your owner’s home and
    will probably be done entirely for the internet.
    The business degree raises one’s social standing: in short, it opens for you doors
    that would have otherwise remained closed for you.

  2. Bulks of the advertisers are primarily private house
    owners, letting managers and property agents. You can run your home-based business perfectly if you become
    cordial on the customers. Birthdays, Anniversaries, Housewarmings,
    Weddings, Baby Showers, Christmas and Valentines Day.

  3. In order to cope in a fast-paced market, new applications
    are expected. The simple truth is, people join MLM opportunities due to who introduced them.

    I have experienced my share of scams, and have
    in fact done a fantastic job avoiding being taken for any sucker and I’m here to tell you, Ameriplan isn’t a scam.

  4. In order to cope inside a fast-paced market, new applications are essential.
    Each auction might be conducted using a different group of terms including bid increments,
    amount of auction rounds and expense reimbursement for your stalking horse.
    I have experienced my share of scams, and have the truth is
    done a fantastic job avoiding being taken for a sucker and I’m here
    to share with you, Ameriplan isn’t a scam.

  5. Your website must give a clear message using a goal-oriented direction,
    setting you apart from your competition. An HVAC repair business is most often started with a technician who’s learned the trade through previous employment.

    ” Employees at Nike are encouraged to be curious and offered to new ideas, whatever their source.

  6. In order to cope in the fast-paced market, new applications are expected.
    The simple truth is, people join MLM opportunities due to who introduced them.

    ” The company sees innovation as among its core organizational competencies.

  7. You probably have to have a refresher on the useful tips every online company owner should find out about.
    So unless any business completes the formalities and
    get the necessary certifications they could’t start their business.
    The business degree raises one’s social standing: in other words, it opens to suit your needs doors that could have otherwise remained closed for you.

  8. It is really up to each person and the hours they decide they want to work.
    In the previous section, I offered up three questions you must use as a focal point when creating a business model.
    The tire producers in the United States were affected positively because they were competing with artificial competition.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: