Summary:
- This vulnerability affects: Adobe Flash Player 14.0.0.125 and earlier, running on all platforms (and Air)
- How an attacker exploits it: By enticing you to run specially crafted Flash content (often delivered as a .SWF file)
- Impact: Varies, but in one case an attacker can leverage this flaw to gain access to sensitive content from other web domains you visit.
- What to do: Download and install the latest version of Adobe Flash Player (version 14.0.0.145 for computers)
Exposure:
Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.
In a security bulletin released this week, Adobe announced a patch that fixes three vulnerabilities in Adobe Flash Player 14.0.0.125 and earlier, running on all platforms.
Adobe characterizes two of the vulnerabilities as “security bypass” flaws, and states that attackers could exploit at least one of them to take control of the affected system. However, it’s the third vulnerability that is most interesting and is getting media attention.
A security researcher, Michele Spagnuolo, posted a blog article describing a complex, multi-layered vulnerability called the Rosetta Flash flaw, which involves both the Flash vulnerability, but also depends on JSONP-based web applications. If you’re interested in the intricate technical details of the attack, I recommend you check out the Spagnuolo’s blog post, or presentation. The scope of the vulnerability is a little easier to understand. If an attacker can trick your users into running specially crafted Flash content, he can potentially take advantage of this flaw to steal your user’s information from certain third party domains that use JSONP-based applications. When first discovered, this included domains like Ebay, Tumblr, and some Google applications However, these big companies have since modified their web applications to prevent this flaw.
In any case, Adobe rates these issues as a “Priority 1” issues for Windows and Mac, and recommends you apply the updates as soon as possible (within 72 hours). However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.
Solution Path
Adobe has released new versions of Flash Player (14.0.0.145 for computers) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.
- Download Flash Player for your computer:
For All WatchGuard Users:
If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash (and Shockwave) content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.
Finally, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.
Status:
Adobe has released updates to fix these Flash vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)
www.lysi.biz.pl says
And in the course for these analysis, it emerges that
each dollar spent within the pursuit of the online degree is prone to increase one’s lifetime earnings many times fold.
This business will likely be operated from your owner’s home and
will probably be done entirely for the internet.
The business degree raises one’s social standing: in short, it opens for you doors
that would have otherwise remained closed for you.
eucoban.eu says
Bulks of the advertisers are primarily private house
owners, letting managers and property agents. You can run your home-based business perfectly if you become
cordial on the customers. Birthdays, Anniversaries, Housewarmings,
Weddings, Baby Showers, Christmas and Valentines Day.
www.proartech.pl says
In order to cope in a fast-paced market, new applications
are expected. The simple truth is, people join MLM opportunities due to who introduced them.
I have experienced my share of scams, and have
in fact done a fantastic job avoiding being taken for any sucker and I’m here to tell you, Ameriplan isn’t a scam.
www.katomagazyn.pl says
In order to cope inside a fast-paced market, new applications are essential.
Each auction might be conducted using a different group of terms including bid increments,
amount of auction rounds and expense reimbursement for your stalking horse.
I have experienced my share of scams, and have the truth is
done a fantastic job avoiding being taken for a sucker and I’m here
to share with you, Ameriplan isn’t a scam.
http://www.cgriver.com says
Your website must give a clear message using a goal-oriented direction,
setting you apart from your competition. An HVAC repair business is most often started with a technician who’s learned the trade through previous employment.
” Employees at Nike are encouraged to be curious and offered to new ideas, whatever their source.
http://www.karty-plastikowe.info.pl says
In order to cope in the fast-paced market, new applications are expected.
The simple truth is, people join MLM opportunities due to who introduced them.
” The company sees innovation as among its core organizational competencies.
bananeo.com.pl says
You probably have to have a refresher on the useful tips every online company owner should find out about.
So unless any business completes the formalities and
get the necessary certifications they could’t start their business.
The business degree raises one’s social standing: in other words, it opens to suit your needs doors that could have otherwise remained closed for you.
Dexter says
It is really up to each person and the hours they decide they want to work.
In the previous section, I offered up three questions you must use as a focal point when creating a business model.
The tire producers in the United States were affected positively because they were competing with artificial competition.