Adobe discovered and patched a zero-day cross-site scripting flaw in all versions of Flash that the company confirmed was used in recent attacks that compromised several Google Gmail accounts.
Adobe
announced and patched a cross-site scripting vulnerability in Flash that is
already being exploited in drive-by download attacks.
Adobe
released the out-of-cycle update for Flash addressing the security flaw on June
5. The company found out about the bug on June 3 and managed to develop and
release a patch over the weekend. The patch fixes Flash on Windows, Mac OS X ,
Android, Linux and Solaris.
If a user
clicks on a malicious link or visits a rogue Website, the Flash vulnerability
kicks in and takes action without explicit user authorization. Adobe said
the attacks could be used to impersonate a user on various sites, including
Web-based email services and financial Websites.
"There
are reports that this vulnerability is being exploited in the wild in active
targeted attacks designed to trick the user into clicking on a malicious link
delivered in an email message," Adobe said.
An Adobe spokesperson confirmed to eWEEK that attackers used this
security flaw to compromise Gmail accounts. These attacks are different from
the ones Google disclosed recently which compromised high-profile Gmail
accounts and are believed to have originated from China. Those attacks have
been active since at least February and did not rely on an exploit to steal
passwords.
A video
of how a malicious Flash file could be used to compromise users via a Gmail
inbox was posted by Steven Millward on the
Asian
Tech site Penn-Olson on June 3. The
video (narrated in
Chinese) shows a specially crafted Flash file that can inject a spying
forwarding address into the user's Gmail account settings, according to
Millward.
The user
is encouraged to click on a certain link in a "dodgy" email, such as a personal
blog hosted on a popular platform, which redirects the user to a site with the
rogue Flash file, Millward said. The user doesn't see anything load, but the
f.swf Flash file had already executed the commands to add a forwarding address
to the user's email address, giving attackers full access to the user's
communications without even bothering to steal a password. In the video, the user
was logged into Gmail, which allowed the Flash file to access the site.
The
vulnerability (CVE-2011-2107) exists in Adobe Flash Player 10.3.181.16 and
earlier versions for
Windows,
Macintosh, Linux and Solaris, Adobe said in its
advisory.
Adobe Flash Player 10.3.185.22 and earlier are affected for Android, but a fix
will not be available until later in the week, according to Adobe. Google has
already pushed out an update for the embedded Flash Player inside its Chrome
Web browser to 11.0.696.77. The update should download automatically and be
installed when the browser is restarted. Google updated the stable, beta and
dev versions of Chrome.
Adobe is
still investigating whether the Authplay.dll linked library in Adobe Reader and
Acrobat also contains the cross-site scripting flaw. There are no current
attacks exploiting the flaw targeting Reader or Acrobat at this time, according
to the company.
Adobe
rated this vulnerability as "important," meaning it could compromise data
security, potentially allow attackers access to confidential data, and could
compromise processing resources in the user's computer.
"It
doesn't matter if you run Windows, Mac, Linux, Solaris or even Android ... if
Adobe goes public about a security vulnerability in its Flash product, you
better install the patch to protect against the problem," Graham Cluley, senior
technology consultant at Sophos, wrote on the Naked Security blog.
Editor's note: This story was updated to differentiate between the China-based Gmail phishing attacks and the attacks using the Flash exploit.
Email
Print
