Users of Google's Chrome and Microsoft's Internet Explorer 10 (IE10) and IE11 can rest easy today knowing that their browsers will automatically update to the latest version of Adobe Flash, which will block a credential-stealing attack disclosed earlier in the day.
Those who rely on Apple's Safari, pre-IE10 editions of IE, Mozilla's Firefox and Opera Software's Opera, however, should hustle to the Adobe website to download and install the latest version of Flash, security experts advised.
"Unless you are running IE10, IE11 or Google Chrome you should look [at] this month's Adobe Flash fix as your second-highest priority," said Wolfgang Kandek, CTO of Qualys, in an email. "Google Chrome, IE10 and IE11 embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that. Everybody else, Internet Explorer 9 and lower, Firefox and [Safari] users should update their Flash installation manually." His top priority for the day was a massive 24-patch Microsoft update for IE.
As Kandek noted, Microsoft and Google bake Flash into their browsers and so take on the responsibility of updating their software whenever Adobe issues security patches, as it did today.
The Flash update contained three fixes, but one was far more important to apply than the others, as an exploit-crafting tool was released earlier today by Michele Spagnuolo, a Google security engineer who works in the company's Zurich office.
"I provide ready-to-be-pasted, universal, weaponized full-featured proofs of concept with ActionScript sources," said Spagnuolo.
Labeled with the Common Vulnerabilities and Exposures identifier of CVE-2014-4671, the issue was characterized by Spagnuolo as a cross-site request forgery (CSRF) bug that, if exploited, would make it possible for attackers to steal users' log-on credentials to some of the biggest sites and services on the Web, including eBay, Instagram and Tumblr.
Spagnuolo's exploit tool, which he called "Rosetta Flash," crafts malicious .swf files. The extension's name comes from ShockWave Flash, a precursor to Flash, which supports the file format. Attackers who dupe people into visiting a website hosting a Rosetta Flash-made malignant file could then pilfer authentication cookies stored in the browser by vulnerable sites and Web-based services.
Not surprisingly, Spagnuolo alerted his own company, Google, of the vulnerability first: Google fixed several of its biggest services, including Maps, Accounts -- the overarching log-in for all Google properties -- and YouTube before Spagnuolo revealed his exploit-making tool.
"Because of the sensitivity of this vulnerability, I first disclosed it internally in Google, and then privately to Adobe PSIRT," Spagnuolo admitted, referring to Adobe's Product Incident Response Team. "A few days before releasing the code and publishing this blog post, I also notified Twitter, eBay, Tumblr and Instagram (emphasis added)."
Sign up for Computerworld eNewsletters.