"Rosetta Flash" flaw makes Adobe Flash vulnerable to attacks

Adobe releases a new version of Flash Player. It allows to block an attack to steal login to sites and Web services.

Adobe published a security bulletin for Flash Player. In other words, it is necessary to update Flash Player to fix critical vulnerabilities. Three problems were identified.

Internet Explorer 10 and 11 on Windows 8 and 8.1, the updated Flash Player is included in the Microsoft Patch Tuesday. For Windows and OS X, Flash Player for Google Chrome is automatically updated (note that this does not require an update of the browser itself).

In other cases, it is possible to know the version of Flash Player by visiting this page to proceed to the appropriate update. For Windows and OS X, the latest version of Flash Player is 14.0.0.145 and 11.2.202.394 for Linux.

The vulnerabilities addressed in Flash Player allow circumvention of security for both of them. For the third, Adobe has provided additional validation checks to ensure that Flash Player rejects malicious content.

Engineer information security at Google, Michele Spagnuolo has revealed the third vulnerability and provides a tool called Rosetta Flash. It can convert Flash files with the .SWF into a SWF file valid only when consisted of alphanumeric characters and allowing an individual to use web attacks (via sites that accept bets online with SWF files).

According to Michel Spagnuolo, several popular sites were vulnerable including Google websites, YouTube, Twitter, Instagram, eBay, Tumblr. All were warned before the publication of the researcher and the fault was first communicated confidentially to Adobe.