Adobe Systems has released Adobe Flash Player version 220.127.116.11 for Mac and Windows. Adobe pushed a fix in the Flash Player update that removes a security vulnerability (CVE-2014-4671), which could be used to abuse JSONP endpoints by making a victim perform arbitrary requests to vulnerable domains and expose sensitive data.
Security researcher Michele Spagnuolo disclosed the vulnerability by first notifying affected companies before releasing the code and publishing further details about it. On his blog, Michele explained that abusing JSONP endpoints could be done by using Rosetta Flash, "a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data."
For those interested in learning more about Rosetta Flash, Michele published a set of comprehensive slides (PDF). In the slides, he outlines the Rosetta Flash attack scenario.
1. The attacker controls the first bytes of the output of a JSONP API endpoint by specifying the callback parameter in the request.
2. SWF files can be embedded using an <object> tag and will be executed as Flash as long as the content looks like a valid Flash file.
<object type="application/x-shockwave-flash" data="https://accounts.google.com/RatePassword?callback=CWSxx..."></object>
3. Flash can perform GET and POST requests to the hosting domain with the victim's cookies and exfiltrate data.
According to Adobe's security bulletin (APSB14-17), Adobe Flash Player 18.104.22.168 addresses the following critical vulnerabilities:
- These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).
- These updates resolve security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539).
Users of Adobe Flash Player 22.214.171.124 and earlier versions for Mac and Windows should update to Adobe Flash Player 126.96.36.199 as soon as possible. Users of Adobe Flash Player 188.8.131.528 and earlier versions for Linux should update to Adobe Flash Player 184.108.40.2064. Adobe Flash Player 220.127.116.11 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 18.104.22.168 for Windows, Mac and Linux. Users of Adobe AIR 22.214.171.124 and earlier versions should update to Adobe AIR 126.96.36.199.