Flash vulnerability lets hackers steal data from Macs and PCs

9 Jul 2014

Adobe has issued a critical Flash update for Windows PCs and Mac computers after a security flaw has been discovered that lets hackers prey on users of sites such as Twitter, Tumblr, eBay and Instagram.

The update, which brings Flash to version 14.0.0.145, was published after security blogger Michele Spagnuolo spotted the vulnerability.

Adobe has assigned the highest threat level rating to the flaw and advises users of Windows, Mac, Linux and Adobe AIR products to install the update.

The Rossetta Flash tool converts any SWF file to one composed only of alphanumeric characters which can then be used to abuse endpoints and make victim machines perform server requests.

Essentially this means potentially sensitive data can be exfiltrated from machines.

“This is a well-known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented,” Spagnuolo said.

“This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.”

Security image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com