Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix
A well-known vulnerability in Adobe's Flash player that could allow malicious users to steal browser data -- including cookies -- on Macs, PCs, and Linux machines has been exploited for the first time, prompting Adobe to issue a patch and urge users to upgrade their system as soon as possible.
Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.
The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.
In addition to the end-user mitigation, website owners can patch the vulnerability -- assigned CVE identifier CVE-2014-4671 -- on their end with one of a number of fixes identified by Spagnuolo.
Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.
Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.
The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.
In addition to the end-user mitigation, website owners can patch the vulnerability -- assigned CVE identifier CVE-2014-4671 -- on their end with one of a number of fixes identified by Spagnuolo.
Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.
Comments
Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.
So, they knew about the issue but did not bother fixing it until the exploit had been used?
How is there not a media storm over this?
Or just use Click2Flash...
Click2Flash doesn't eliminate the vulnerability from your system, it just prevents Flash from auto-executing on the web browser that the plug-in is installed.
Of course, if you did click on the plug-in to execute the Flash content, you are at the same vulnerability level as Joe Consumer who has installed Flash without using Click2Flash. The end user really doesn't know which Flash content is dangerous and which is safe. Click2Flash is not a good security measure, it's just a handy tool to block irritating content, speed page rendering, save battery life, and decrease network bandwidth.
Apple is right in not installing Flash by default on currently shipping Macs.
If you don't want to expose yourself to Flash vulnerabilities, A.) don't install Flash period, and B.) don't use Google Chrome.
Not a peep outta these people.
Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?
Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡
Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?
Chrome needs to be updated. The Flash Player in Chrome is not a panacea against Flash vulnerabilities and exploits.
Again, if you are serious about protecting your system from malicious Flash activity, do not install Flash Player and do not use Google Chrome.
Remember those same people spate vitriol at Apple for a lack of Adobe Flash on the iPhone for many years. Furthermore, those same people proclaim the openness of Android while also promoting proprietary Adobe Flash. Honestly, Android proponents seem completely illogical and irrational.
As long as people persist in using Adobe Flash on their Macs, it takes the pressure off web-site programmers to convert to HTML5, a safe alternative.
No-one should chance the dangers of using Adobe Flash.
Letters of protest should be written to sites still using it. The People generally win.
I love how Apple is held to a far higher standard then everyone else. If this was an Apple security flaw, the press would be screaming and ranting.
Indeed. When Apple was reluctant to form a partnership with them years ago they were criticized. Now, once again, they look like geniuses. HTML5 has been a much better resource, so thank you Adobee for your hubris and stupidity. The world has now moved on.
Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?
Not a peep outta these people.
Double Standars exist for a reason, you know.I'm confused. According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks. I hate defending Adobe, but this patch was issued a while back. What am I missing here? How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today? It's been fixed, update and get it!
It is. Chrome is the official browser of AppleInsider and Huddler Lifestyle. Safari users were left to rot.
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
What's your point? That page is a technical explanation for one known vulnerability. That page is useless to Joe Consumer surfing the Web.
My stance is that it is better not to install Flash at all, not to prevent against a specific threat, but to limit exposure to a whole group of Flash-based threats, some of which are known and documented, others which are yet to be discovered.