{"id":29782,"date":"2014-07-08T12:32:36","date_gmt":"2014-07-08T19:32:36","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=29782"},"modified":"2014-07-08T12:32:36","modified_gmt":"2014-07-08T19:32:36","slug":"adobe-flash-player-update-combats-rosetta-flash-attack","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/adobe-flash-player-update-combats-rosetta-flash-attack\/","title":{"rendered":"Adobe Flash Player Update Combats Rosetta Flash Attack"},"content":{"rendered":"
\"Abusing

Image credit: Michele Spagnuolo<\/p><\/div>\n

Adobe Systems has released Adobe Flash Player version 14.0.0.145 for Mac and Windows. Adobe pushed a fix in the Flash Player update that removes a security vulnerability (CVE-2014-4671), which could be used to abuse JSONP endpoints by making a victim perform arbitrary requests to vulnerable domains and expose sensitive data.<\/p>\n

Security researcher Michele Spagnuolo disclosed the vulnerability by first notifying affected companies before releasing the code and publishing further details about it.\u00a0On his blog<\/a>, Michele explained that\u00a0abusing JSONP endpoints could be done by using Rosetta Flash, “a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data.”<\/p>\n

For those interested in learning more about Rosetta Flash, Michele published a set of comprehensive slides (PDF)<\/a>. In the slides, he outlines the Rosetta Flash attack scenario.<\/p>\n

1. The attacker controls the first bytes of the output of a JSONP API endpoint by specifying the callback parameter in the request.<\/p>\n

2. SWF files can be embedded using an <object> tag and will be executed as Flash as long as the content looks like a valid Flash file.<\/p>\n

<object type=”application\/x-shockwave-flash” data=”https:\/\/accounts.google.com\/RatePassword?<\/strong>callback=CWSxx…<\/span><\/strong>“><\/object><\/p>\n

3. Flash can perform GET and POST requests to the hosting domain with the victim’s cookies and exfiltrate data.<\/p><\/blockquote>\n

The security researcher is scheduled to present the vulnerability at Hack In The Box: Malaysia<\/a> in October, and the Rosetta Flash technology will be featured in the next\u00a0PoC||GTFO<\/a>\u00a0release.<\/p>\n

According to Adobe’s security bulletin (APSB14-17<\/a>), Adobe Flash Player 14.0.0.145 addresses the following critical vulnerabilities:<\/p>\n