Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Flash Player to Prevent “Rosetta Flash” Attacks

Adobe released security updates for Flash Player on Tuesday to address a total of three vulnerabilities, including one that affected several high-profile web sites.

Adobe released security updates for Flash Player on Tuesday to address a total of three vulnerabilities, including one that affected several high-profile web sites.

Adobe Flash Player 14.0.0.145 for Windows and Mac, and Adobe Flash Player 11.2.202.394 for Linux contain fixes for the vulnerabilities with the CVE identifiers CVE-2014-0537, CVE-2014-0539, CVE-2014-4671. The first two flaws, reported by Masato Kinugawa, can be exploited to bypass security. The third vulnerability (CVE-2014-4671), discovered and reported by Google engineer Michele Spagnuolo, can be leveraged to exfiltrate sensitive data.

According to Spagnuolo, the issue is a Same Origin Policy bypass that can be leveraged for Cross-Site Request Forgery (CSRF) attacks. To demonstrate his findings, the researcher has developed a tool called Rosetta Flash, which can convert any SWF file into one composed only of alphanumeric characters. In a blog post published on Tuesday, the expert explained that these files can be used “to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.”

“This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided,” Spagnuolo said.

There are three important factors in such an attack scenario. First of all, it’s dangerous to allow users to upload a SWF file to a sensitive domain because such files can perform cookie-carrying POST and GET requests to the domain on which they are hosted. An attacker can use a malicious SWF file to trick the target into performing requests that exfiltrate sensitive information to an external domain controlled by the attacker, the expert said.

Secondly, JSONP allows for the first bytes of the output generated by an endpoint to be controlled through the “callback” parameter in the request URL. In most JSONP callbacks, the allowed character set is restricted to characters like “.”, “_” and letters of the alphabet (both lowercase and uppercase letters). The Rosetta Flash tool focuses on this restrictive charset, but it’s also designed to work with other allowed charsets specified by the user, Spagnuolo explained.

Finally, the expert points out that an attacker can execute any SWF file embedded on his domain by making it look like a valid Flash file. This task can be accomplished with the aid of the Content-Type forcing “<object>” tag.

“Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain,” Spagnuolo wrote on his blog.

Advertisement. Scroll to continue reading.

The vulnerability affected several high-profile online services, including Google, Twitter, Tumblr, eBay, YouTube, Olark and Instagram. Google, Twitter, Tumblr and YouTube have addressed the security hole. Adobe says it has fixed the issue by including “additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs.

Spagnuolo will detail the vulnerability at the upcoming Hack In The Box security conference which takes place in Malaysia in October.

In related news, Microsoft released six security bulletins for Patch Tuesday, including a critical update for Internet Explorer. Two vulnerabilities are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ The bulletins address 29 vulnerabilities across Microsoft Windows, Microsoft Server Software and Internet Explorer.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.