Security Experts:

Connect with us

Hi, what are you looking for?



Adobe Patches Flash Player to Prevent “Rosetta Flash” Attacks

Adobe released security updates for Flash Player on Tuesday to address a total of three vulnerabilities, including one that affected several high-profile web sites.

Adobe released security updates for Flash Player on Tuesday to address a total of three vulnerabilities, including one that affected several high-profile web sites.

Adobe Flash Player for Windows and Mac, and Adobe Flash Player for Linux contain fixes for the vulnerabilities with the CVE identifiers CVE-2014-0537, CVE-2014-0539, CVE-2014-4671. The first two flaws, reported by Masato Kinugawa, can be exploited to bypass security. The third vulnerability (CVE-2014-4671), discovered and reported by Google engineer Michele Spagnuolo, can be leveraged to exfiltrate sensitive data.

According to Spagnuolo, the issue is a Same Origin Policy bypass that can be leveraged for Cross-Site Request Forgery (CSRF) attacks. To demonstrate his findings, the researcher has developed a tool called Rosetta Flash, which can convert any SWF file into one composed only of alphanumeric characters. In a blog post published on Tuesday, the expert explained that these files can be used “to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.”

“This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided,” Spagnuolo said.

There are three important factors in such an attack scenario. First of all, it’s dangerous to allow users to upload a SWF file to a sensitive domain because such files can perform cookie-carrying POST and GET requests to the domain on which they are hosted. An attacker can use a malicious SWF file to trick the target into performing requests that exfiltrate sensitive information to an external domain controlled by the attacker, the expert said.

Secondly, JSONP allows for the first bytes of the output generated by an endpoint to be controlled through the “callback” parameter in the request URL. In most JSONP callbacks, the allowed character set is restricted to characters like “.”, “_” and letters of the alphabet (both lowercase and uppercase letters). The Rosetta Flash tool focuses on this restrictive charset, but it’s also designed to work with other allowed charsets specified by the user, Spagnuolo explained.

Finally, the expert points out that an attacker can execute any SWF file embedded on his domain by making it look like a valid Flash file. This task can be accomplished with the aid of the Content-Type forcing “<object>” tag.

“Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain,” Spagnuolo wrote on his blog.

The vulnerability affected several high-profile online services, including Google, Twitter, Tumblr, eBay, YouTube, Olark and Instagram. Google, Twitter, Tumblr and YouTube have addressed the security hole. Adobe says it has fixed the issue by including “additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs.

Spagnuolo will detail the vulnerability at the upcoming Hack In The Box security conference which takes place in Malaysia in October.

In related news, Microsoft released six security bulletins for Patch Tuesday, including a critical update for Internet Explorer. Two vulnerabilities are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ The bulletins address 29 vulnerabilities across Microsoft Windows, Microsoft Server Software and Internet Explorer.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.