16 July 2014

Last week, Stay Smart Online advised about a number of critical updates, including for Adobe Flash Player.

One of the vulnerabilities addressed by this update, allows an attacker to take over your logged in session for many popular websites without your knowledge.

Users need to update to the latest version of Adobe Flash Player, and vulnerable websites may also need administrators to take action to secure their sites.

Most major websites such as eBay, Instagram, Twitter and Tumblr have already moved to change their systems to prohibit this attack.

Advice for users

Users of Adobe Flash Player should update to the latest version for all browsers as soon as possible. (If you already updated last week you do not need to take further action.)

You can visit Adobe and verify the version you are currently using here.

You can also update to the latest version here from Adobe (remember to deselect the free McAfee Security Scan offer unless you would also like to download this software).

Internet Explorer 10, Internet Explorer 11, and Chrome should have updated automatically on your system, unless this is disabled in your settings.

Advice for website operators

The issue affects websites offering Application Programming Interfaces (APIs).

APIs are used on websites to present data in a uniformed way that allows other websites or programs to access it. For example a retail website may enable other websites to access and use its pricing, product listings and so on via an API. Smaller websites do not typically use APIs, however, if you are uncertain, you should check with your website administrator.

According to the researcher who identified the issue, APIs utilising JSONP callbacks are affected. (JSONP or "JSON with padding" is a communication technique used in JavaScript programs.)

The vulnerability allows an attacker to perform actions on your website using an affected user’s current permissions.

The researcher has outlined several mitigation strategies that can be used, but these require technical knowledge to update affected code.

More information

Further discussion of the vulnerability and Adobe’s update.

The researcher’s original post about the issue.

Update information is available on Adobe’s website.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.

Feedback

Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer

This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.

CONTACT US

Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online
  • Facebook.
  • youtube
  • RSS feed