Adobe released security updates for Flash Player on Tuesday to address a total of three vulnerabilities, including one that affected several high-profile web sites.
Adobe Flash Player 220.127.116.11 for Windows and Mac, and Adobe Flash Player 18.104.22.1684 for Linux contain fixes for the vulnerabilities with the CVE identifiers CVE-2014-0537, CVE-2014-0539, CVE-2014-4671. The first two flaws, reported by Masato Kinugawa, can be exploited to bypass security. The third vulnerability (CVE-2014-4671), discovered and reported by Google engineer Michele Spagnuolo, can be leveraged to exfiltrate sensitive data.
According to Spagnuolo, the issue is a Same Origin Policy bypass that can be leveraged for Cross-Site Request Forgery (CSRF) attacks. To demonstrate his findings, the researcher has developed a tool called Rosetta Flash, which can convert any SWF file into one composed only of alphanumeric characters. In a blog post published on Tuesday, the expert explained that these files can be used "to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site."
"This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided," Spagnuolo said.
There are three important factors in such an attack scenario. First of all, it's dangerous to allow users to upload a SWF file to a sensitive domain because such files can perform cookie-carrying POST and GET requests to the domain on which they are hosted. An attacker can use a malicious SWF file to trick the target into performing requests that exfiltrate sensitive information to an external domain controlled by the attacker, the expert said.
Secondly, JSONP allows for the first bytes of the output generated by an endpoint to be controlled through the "callback" parameter in the request URL. In most JSONP callbacks, the allowed character set is restricted to characters like ".", "_" and letters of the alphabet (both lowercase and uppercase letters). The Rosetta Flash tool focuses on this restrictive charset, but it's also designed to work with other allowed charsets specified by the user, Spagnuolo explained.
Finally, the expert points out that an attacker can execute any SWF file embedded on his domain by making it look like a valid Flash file. This task can be accomplished with the aid of the Content-Type forcing "<object>" tag.
"Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain," Spagnuolo wrote on his blog.
The vulnerability affected several high-profile online services, including Google, Twitter, Tumblr, eBay, YouTube, Olark and Instagram. Google, Twitter, Tumblr and YouTube have addressed the security hole. Adobe says it has fixed the issue by including "additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs.
Spagnuolo will detail the vulnerability at the upcoming Hack In The Box security conference which takes place in Malaysia in October.
In related news, Microsoft released six security bulletins for Patch Tuesday, including a critical update for Internet Explorer. Two vulnerabilities are rated 'critical', while three are rated 'important' and one is considered 'moderate.' The bulletins address 29 vulnerabilities across Microsoft Windows, Microsoft Server Software and Internet Explorer.