Results 1 to 1 of 1
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
-
07-08-2014, 09:32 PM #1
Breaking: Chrome And IE Browser Exploit Steals Login Credentials, Update Flash ASAP
Breaking: Chrome And IE Browser Exploit Steals Login Credentials, Update Flash ASAP
Tuesday, July 08, 2014 - by Rob Williams
Adobe has today released an updated version of its Flashplugin to address "critical" issues, and believe us when we say that no time should be wasted in making sure you get that up-to-date version. At the core, this bug could result in remote code execution being possible, which is to say that somebody could potentially run malicious code on your PC, or ultimately take control of it.
This vulnerability was discovered by Google security researcher Michele Spagnuolo and a tool called Rosetta Flash. This tool has the ability to translate a standard SWF Flash file into standard alphanumeric characters, text that the Flash plugin would still be able to interpret.
The important bits, as told by Michele:1. With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it, with no crossdomain.
xmlcheck. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.2. JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL. Since most JSONP callbacks restrict the allowed charset to [a-zA-Z], _ and ., my tool focuses on this very restrictive charset, but it is general enough to work with different user-specified allowed charsets.3. SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file.
The last point is the most important. Because Flash could interpret standard alphanumeric code as a real file, serious issues could be caused. In a way, it's a surprise that this security vulnerability wasn't discovered long ago.
The latest version of the Flash plugin for Windows and Mac is 14.0.0.145, and despite not having feature updates in some time, the Linux version has also been updated, to 11.2.202.394. It's being noted that Flash built into Google Chrome will be updated automatically.
Read more: http://hothardware.com/News/Breaking...#ixzz36vkSBG3WNO AMNESTY
Don't reward the criminal actions of millions of illegal aliens by giving them citizenship.
Sign in and post comments here.
Please support our fight against illegal immigration by joining ALIPAC's email alerts here https://eepurl.com/cktGTn
Similar Threads
-
Spend to Win! ALIPAC's Flash Fundraiser Update!
By ALIPAC in forum illegal immigration AnnouncementsReplies: 0Last Post: 06-17-2007, 09:50 PM -
Need a quick update ASAP
By the_patriot in forum General DiscussionReplies: 2Last Post: 05-20-2007, 03:04 PM
"YOU WILL FOOT THE BILL FOR ILLEGAL IMMIGRANTS!" GOVERNOR HOCHUL...
04-23-2024, 05:46 AM in Videos about Illegal Immigration, refugee programs, globalism, & socialism