Adobe has today released an updated version of its Flash plugin to address "critical" issues, and believe us when we say that no time should be wasted in making sure you get that up-to-date version. At the core, this bug could result in remote code execution being possible, which is to say that somebody could potentially run malicious code on your PC, or ultimately take control of it.
This vulnerability was discovered by Google security researcher Michele Spagnuolo and a tool called Rosetta Flash. This tool has the ability to translate a standard SWF Flash file into standard alphanumeric characters, text that the Flash plugin would still be able to interpret.
The important bits, as told by Michele:
1. With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it, with no crossdomain.xml check. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.
2. JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL. Since most JSONP callbacks restrict the allowed charset to [a-zA-Z], _ and ., my tool focuses on this very restrictive charset, but it is general enough to work with different user-specified allowed charsets.
3. SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file.
The last point is the most important. Because Flash could interpret standard alphanumeric code as a real file, serious issues could be caused. In a way, it's a surprise that this security vulnerability wasn't discovered long ago.
The latest version of the Flash plugin for Windows and Mac is 220.127.116.11, and despite not having feature updates in some time, the Linux version has also been updated, to 18.104.22.1684. It's being noted that Flash built into Google Chrome will be updated automatically.