In response to the recent internet communication attack using malicious commands embedded into Adobe Flash files, Adobe released a Flash security update in tandem with a full technical analysis of the threat that includes a proof-of-concept exploit code.
The attack code, dubbed “Rosetta Flash,” exposed sensitive user-data on sites such as Instagram, eBay, Tumblr and Olark, and sources say it could take weeks for the impact of the security update to fully mitigate the potential damage on end-users. In order to counterbalance the delay, Adobe is advising larger websites to make server-end updates, and accordingly, Adobe has followed its own advice along with Microsoft and Tumbler.Adobe's “critical” update includes new, complex validation checks built into Flash, ensuring that it rejects the malicious content from vulnerable JSONP callback interfaces. This update brings Flash to version 126.96.36.199 on Windows, Mac and Linux systems, and Adobe affirms that they are “not aware of exploits in the wild for any of the vulnerabilities fixed in this release.”
Simultaneously, Microsoft released six security updates addressing vulnerabilities in Windows and Internet Explorer, the details of which are outlined on Microsoft's Technet blog, Qualys's site, and the SANS Internet Storm Center. Tumblr has since announced that it has also patched against the Rosetta Flash attack.