Critical hole patched in Adobe Flash Player

Google engineer Michele Spagnuolo discovered a dangerous security flaw in Adobe's Flash plug-in that could allow hackers to steal your browser cookies and other other data. The security issue has been known for quite some time but was considered low priority because no known exploit existed. Spagnuolo explains the exploit isn't the result of weaknesses in JSONP or a specific vulnerability in Flash, the result is achieved by combining two otherwise harmless features in way that creates a security issue. You can learn more about the exploit at ARS Technica.

The attack relies on behavior that has existed for years that allows the binary contents of a common shockwave file—a throwback term for Flash files that's better known simply as SWF—to be converted into an equivalent file based solely on alphanumeric characters. The conversion typically happens to compress a SWF file so it works with websites that use a technique known as JSONP—or JSON with padding—to set browser cookies and perform other tasks.

A new proof-of-concept tool dubbed Rosetta Flash uses a creative combination of encoding algorithms to construct character-only representations of SWF files that contain malicious commands. Among other things, malicious SWF files spawned by the tool can use the visitor's Flash application to send Web requests that can access authentication cookies and other files set by other websites that use JSONP. This exfiltration works as a result of Flash being able to bypass the Same Origin Policy, which is in place to stop these kinds of cross domain requests. As a result, a malicious website hosting a booby-trapped SWF file could use authentication cookies that were previously set by eBay and other vulnerable sites to make authenticated data requests on behalf of the person visiting the attack site.

Fortunately, Adobe already made a patch available that mitigates the attack. Large websites are also working on ways to prevent the attack to protect users who haven't updated their version of Flash yet, vulnerable places includes sites like eBay, Tumblr, and Instagram.