Breaking: Chrome And IE Browser Exploit Steals Login Credentials, Update Flash ASAP

Adobe has today released an updated version of its Flash plugin to address "critical" issues, and believe us when we say that no time should be wasted in making sure you get that up-to-date version. At the core, this bug could result in remote code execution being possible, which is to say that somebody could potentially run malicious code on your PC, or ultimately take control of it.

This vulnerability was discovered by Google security researcher Michele Spagnuolo and a tool called Rosetta Flash. This tool has the ability to translate a standard SWF Flash file into standard alphanumeric characters, text that the Flash plugin would still be able to interpret.

The important bits, as told by Michele:

1. With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it, with no crossdomain.xml check. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.
2. JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL. Since most JSONP callbacks restrict the allowed charset to [a-zA-Z], _ and ., my tool focuses on this very restrictive charset, but it is general enough to work with different user-specified allowed charsets.
3. SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file.

The last point is the most important. Because Flash could interpret standard alphanumeric code as a real file, serious issues could be caused. In a way, it's a surprise that this security vulnerability wasn't discovered long ago.

The latest version of the Flash plugin for Windows and Mac is 14.0.0.145, and despite not having feature updates in some time, the Linux version has also been updated, to 11.2.202.394. It's being noted that Flash built into Google Chrome will be updated automatically.

Via:  Graham Cluley
Comments
RyanVaughn 4 months ago

anyone know if FF and iceweasel (a lightweight version of FF for *nix) are affected or is this just IE and chrome?

PaulGureghian 4 months ago

i think flash is flash

RyanHedrick 4 months ago

Flash needs a complete overhaul. So many exploits are found on a regular basis. Either that or someone needs to code a new standard. I'm not surprised IE allowed the loop hole, but chrome I'm a bit taken back by. They'll likely have it figured out soon. Just be extra vigilant in where you browse and update your flash.

HsuChawBin 4 months ago

If it uses flash. Yes.

RyanVaughn 4 months ago

thanks, i guess i was just being optimistic. Gonna be a real pain to change all my passwords.

JamesHostick 4 months ago

Or just don't use flash. Yeah, that works too.

ArientiGabriele 4 months ago

don't use flash

4 months ago

Avast! Has catched that as troijan!

MichaelDeMatteis 4 months ago

Thanks.....

JamesHostick 4 months ago

HTML5

nfs3freak 4 months ago

Thanks for this update! Don't know how I missed this yesterday.

JamesHostick 4 months ago

If you have flash in Chrome I'd either a) uninstall or b) update. Either way, go change your passwords to be safe

JamesHostick 4 months ago

Nothing to "get" with HTML5 other than a modern browser

JamesHostick 4 months ago

Yeah np, flash is something I stopped using years ago because of the constant security holes that keep popping up that are very serious. It sucks not being able to use certain sites that depend on it but the vast majority of sites are shifting or have already shifted to using HTML5/JavaScript for content

JamesHostick 4 months ago

Yeah that's understandable just update and change your passwords you'll likely be fine

Post a Comment
or Register to comment