Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix

Posted:
in macOS edited July 2014
A well-known vulnerability in Adobe's Flash player that could allow malicious users to steal browser data -- including cookies -- on Macs, PCs, and Linux machines has been exploited for the first time, prompting Adobe to issue a patch and urge users to upgrade their system as soon as possible.

Flash


Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.

The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.

In addition to the end-user mitigation, website owners can patch the vulnerability -- assigned CVE identifier CVE-2014-4671 -- on their end with one of a number of fixes identified by Spagnuolo.

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.
«13

Comments

  • Reply 1 of 47
    SpamSandwichSpamSandwich Posts: 33,407member
    Or just use Click2Flash...
  • Reply 2 of 47
    thewhitefalconthewhitefalcon Posts: 4,453member

    Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.

  • Reply 3 of 47
    saareksaarek Posts: 1,540member

    So, they knew about the issue but did not bother fixing it until the exploit had been used?

     

    How is there not a media storm over this?

  • Reply 4 of 47
    haarhaar Posts: 563member
    Steve Jobs was a Genius!... no flash for you iPads!!!!, iPods, iPhones....
  • Reply 5 of 47
    jkichlinejkichline Posts: 1,369member
    That's why I don't install Flash in Safari and just have to switch over to Chrome for websites stuck in the last century (ahem, CNN and Facebook)
  • Reply 6 of 47
    mpantonempantone Posts: 2,092member
    Quote:
    Originally Posted by SpamSandwich View Post



    Or just use Click2Flash...

    Click2Flash doesn't eliminate the vulnerability from your system, it just prevents Flash from auto-executing on the web browser that the plug-in is installed.

     

    Of course, if you did click on the plug-in to execute the Flash content, you are at the same vulnerability level as Joe Consumer who has installed Flash without using Click2Flash. The end user really doesn't know which Flash content is dangerous and which is safe. Click2Flash is not a good security measure, it's just a handy tool to block irritating content, speed page rendering, save battery life, and decrease network bandwidth.

     

    Apple is right in not installing Flash by default on currently shipping Macs.

     

    If you don't want to expose yourself to Flash vulnerabilities, A.) don't install Flash period, and B.) don't use Google Chrome.

  • Reply 7 of 47
    smiffy31smiffy31 Posts: 202member
    Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?
  • Reply 8 of 47
    suddenly newtonsuddenly newton Posts: 13,819member
    Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?

    Not a peep outta these people.
  • Reply 9 of 47
    lkrupplkrupp Posts: 10,557member
    Quote:

    Originally Posted by smiffy31 View Post



    Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?

     

    Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡

  • Reply 10 of 47
    mpantonempantone Posts: 2,092member
    Quote:
    Originally Posted by smiffy31 View Post



    Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?

    Chrome needs to be updated. The Flash Player in Chrome is not a panacea against Flash vulnerabilities and exploits.

     

    Again, if you are serious about protecting your system from malicious Flash activity, do not install Flash Player and do not use Google Chrome.

  • Reply 11 of 47
    macbook promacbook pro Posts: 1,605member
    Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?

    Not a peep outta these people.


    Remember those same people spate vitriol at Apple for a lack of Adobe Flash on the iPhone for many years. Furthermore, those same people proclaim the openness of Android while also promoting proprietary Adobe Flash. Honestly, Android proponents seem completely illogical and irrational.
  • Reply 12 of 47
    gatorguygatorguy Posts: 24,339member
    mpantone wrote: »
    Chrome needs to be updated. The Flash Player in Chrome is not a panacea against Flash vulnerabilities and exploits.

    Again, if you are serious about protecting your system from malicious Flash activity, do not install Flash Player and do not use Google Chrome.
    http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
  • Reply 13 of 47
    stevenozstevenoz Posts: 315member

    As long as people persist in using Adobe Flash on their Macs, it takes the pressure off web-site programmers to convert to HTML5, a safe alternative.

     

    No-one should chance the dangers of using Adobe Flash. 

     

    Letters of protest should be written to sites still using it. The People generally win.

  • Reply 13 of 47

    I love how Apple is held to a far higher standard then everyone else. If this was an Apple security flaw, the press would be screaming and ranting.

  • Reply 15 of 47
    Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.

    Indeed. When Apple was reluctant to form a partnership with them years ago they were criticized. Now, once again, they look like geniuses. HTML5 has been a much better resource, so thank you Adobee for your hubris and stupidity. The world has now moved on.
  • Reply 16 of 47
    Quote:
    Originally Posted by Suddenly Newton View Post

    Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?



    Not a peep outta these people.

     

    Double Standars exist for a reason, you know.
  • Reply 17 of 47
    razorpitrazorpit Posts: 1,796member

    I'm confused.  According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks.  I hate defending Adobe, but  this patch was issued a while back.  What am I missing here?  How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today?  It's been fixed, update and get it!

  • Reply 18 of 47
    stoutiestoutie Posts: 33member
    DO NOT INSTALL FLASH AT ALL. REMOVE IT! I installed the latest Flash and it secretly installed Bing on my system, replacing Google as my first choice. When I tried to uninstall it, I learned through much research that the Bing program was hidden in my system, not even called Bing. It took me hours and hours and days of work to finally get the damn thing off my computer. Flash and Bing are in cohoots to switch you from Google to Bing, and they installed this malware on my system and messed up my computer. Stat away from Flash...and Bing. They both suck. If you don't believe me, Google it. Very sneaky.
  • Reply 19 of 47
    lkrupp wrote: »
    Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡

    It is. Chrome is the official browser of AppleInsider and Huddler Lifestyle. Safari users were left to rot.
  • Reply 20 of 47
    mpantonempantone Posts: 2,092member

    What's your point? That page is a technical explanation for one known vulnerability. That page is useless to Joe Consumer surfing the Web.

     

    My stance is that it is better not to install Flash at all, not to prevent against a specific threat, but to limit exposure to a whole group of Flash-based threats, some of which are known and documented, others which are yet to be discovered.

Sign In or Register to comment.