A well-known vulnerability in Adobe’s Flash player which allows malicious users to steal browser data, including cookies, on Macs, PCs and Linux machines has recently been exploited for the first time, prompting Adobe to issue a patch and urge users to upgrade their system as soon as possible. According to Adobe, Flash Player version 14.0.0.125 and earlier for Mac and Windows version 11.2.202.378 and earlier for Linux suffer from the bug. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.

The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters which will be executed by Flash Player even though they aren’t valid Flash files. The malicious files can take advantage of the special privileges granted to embedded objects on the web page, making cross-domain requests on behalf of a user an capturing returned data. In addition to the end-user migration, website owners can patch the vulnerability, assigned CVE identifier CVE-2014-4671, on their end with one of a number of fixes identified by Google engineer Michele Spagnuolo.

Those of you who want to check the version of Flash installed on your system can do so by visiting Adobe’s About Flash Player page or by right-clicking on Flash content in your browser and choosing “About Adobe (or Macromedia) Flash Player” from the contextual menu.

Source: Adobe (Help), Michele Spagnuolo (blog)