By Gregg Keizer, Computerworld | July 8th, 2014
Google engineer releases hacking tool, Adobe issues fix; IE10, IE11 and Chrome auto-update for users
Users of Google’s Chrome and Microsoft’s Internet Explorer 10 (IE10) and IE11 can rest easy today knowing that their browsers will automatically update to the latest version of Adobe Flash, which will block a credential-stealing attack disclosed earlier in the day.
Those who rely on Apple’s Safari, pre-IE10 editions of IE, Mozilla’s Firefox and Opera Software’s Opera, however, should hustle to the Adobe website to download and install the latest version of Flash, security experts advised.
“Unless you are running IE10, IE11 or Google Chrome you should look [at] this month’s Adobe Flash fix as your second-highest priority,” said Wolfgang Kandek, CTO of Qualys, in an email. “Google Chrome, IE10 and IE11 embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that. Everybody else, Internet Explorer 9 and lower, Firefox and [Safari] users should update their Flash installation manually.” His top priority for the day was a massive 24-patch Microsoft update for IE.
As Kandek noted, Microsoft and Google bake Flash into their browsers and so take on the responsibility of updating their software whenever Adobe issues security patches, as it did today.
The Flash update contained three fixes, but one was far more important to apply than the others, as an exploit-crafting tool was released earlier today by Michele Spagnuolo, a Google security engineer who works in the company’s Zurich office.
“I provide ready-to-be-pasted, universal, weaponized full-featured proofs of concept with ActionScript sources,” said Spagnuolo.
Labeled with the Common Vulnerabilities and Exposures identifier of CVE-2014-4671, the issue was characterized by Spagnuolo as a cross-site request forgery (CSRF) bug that, if exploited, would make it possible for attackers to steal users’ log-on credentials to some of the biggest sites and services on the Web, including eBay, Instagram and Tumblr.
Spagnuolo’s exploit tool, which he called “Rosetta Flash,” crafts malicious .swf files. The extension’s name comes from ShockWave Flash, a precursor to Flash, which supports the file format. Attackers who dupe people into visiting a website hosting a Rosetta Flash-made malignant file could then pilfer authentication cookies stored in the browser by vulnerable sites and Web-based services.
Not surprisingly, Spagnuolo alerted his own company, Google, of the vulnerability first: Google fixed several of its biggest services, including Maps, Accounts — the overarching log-in for all Google properties — and YouTube before Spagnuolo revealed his exploit-making tool.
“Because of the sensitivity of this vulnerability, I first disclosed it internally in Google, and then privately to Adobe PSIRT,” Spagnuolo admitted, referring to Adobe’s Product Incident Response Team. “A few days before releasing the code and publishing this blog post, I also notified Twitter, eBay, Tumblr and Instagram (emphasis added).”
Twitter has since addressed the issue, Spagnuolo said in an update to his blog post.
Adobe’s update strengthened Flash Player’s handling of the kind of malformed .swf files that Rosetta Flash creates. “These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671),” Adobe said in its security bulletin today.
Spagnuolo also provided steps that website owners can take to block or hinder exploits.
Users running browsers that do not automatically update to the latest version of Flash should download and install the appropriate extension version from Adobe’s website. Microsoft updated IE10 and IE11 — browsers that run on Windows 7, Windows 8 and Windows 8.1 — and Google pushed the new Flash to Chrome for Windows and OS X via it’s “component update system,” a secondary service that delivers very small updates to only parts of Chrome.
“This issue is definitely in the wild with public exploit code,” warned Ross Barrett, senior manager of security engineering at Rapid7, in an email. “Flash users should patch immediately.”
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is firstname.lastname@example.org.