Tool shows vulnerability in Adobe Flash, patches released

Rosetta Flash (
Rosetta Flash (

An exploit using Adobe Flash and JSONP has led Adobe to issue software patches.

Adobe released security updates to fix three critical vulnerabilities (CVE-2014-4671, CVE-2014-0537, CVE-2014-0539).

“Adobe has released security updates for Adobe Flash Player and earlier versions for Windows and Macintosh and Adobe Flash Player and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions.” –

Michele Spagnuolo, a Google security engineer based in Zurich, developed a proof of concept tool called Rosetta Flash to show the vulnerability.

On his blog, Spagnolo wrote:

“Because of the sensitivity of this vulnerability, I first disclosed it internally in Google, and then privately to Adobe PSIRT. A few days before releasing the code and publishing this blog post, I also notified Twitter, eBay, Tumblr and Instagram.”

Spagnolo also notes that the issue has been well known in the infosec community. However, because there were no public tools for generating arbitrary ASCII-only valid SWF files, companies postponed taking action on the vulnerability until he developed his tool.

You should update your Adobe Flash Player as soon as possible.

Google Chrome and Microsoft Internet Explorer 10 and 11 will automatically update their versions of Adobe Flash.

All other browsers, e.g. FireFox, Safari, and Opera, should update their browsers using Adobe’s update tool.

Note that you need to update the Adobe Flash Player for every web browser that is installed on your system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s