Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix

Last updated

A well-known vulnerability in Adobe's Flash player that could allow malicious users to steal browser data — including cookies — on Macs, PCs, and Linux machines has been exploited for the first time, prompting Adobe to issue a patch and urge users to upgrade their system as soon as possible.

Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.

The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.

In addition to the end-user mitigation, website owners can patch the vulnerability — assigned CVE identifier CVE-2014-4671 — on their end with one of a number of fixes identified by Spagnuolo.

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.



47 Comments

thewhitefalcon 10 Years · 4444 comments

Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.

saarek 16 Years · 1586 comments

So, they knew about the issue but did not bother fixing it until the exploit had been used?

 

How is there not a media storm over this?

haar 13 Years · 563 comments

Steve Jobs was a Genius!... no flash for you iPads!!!!, iPods, iPhones....

jkichline 14 Years · 1369 comments

That's why I don't install Flash in Safari and just have to switch over to Chrome for websites stuck in the last century (ahem, CNN and Facebook)