Adobe Patches XSS Zero-Day Flaw in Flash Used in Google Gmail Attack

Adobe discovered and patched a zero-day cross-site scripting flaw in all versions of Flash that the company confirmed was used in recent attacks that compromised several Google Gmail accounts.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Adobe announced and patched a cross-site scripting vulnerability in Flash that is already being exploited in drive-by download attacks.

Adobe released the out-of-cycle update for Flash addressing the security flaw on June 5. The company found out about the bug on June 3 and managed to develop and release a patch over the weekend. The patch fixes Flash on Windows, Mac OS X , Android, Linux and Solaris.

If a user clicks on a malicious link or visits a rogue Website, the Flash vulnerability kicks in and takes action without explicit user authorization. Adobe said the attacks could be used to impersonate a user on various sites, including Web-based email services and financial Websites.

"There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," Adobe said.

An Adobe spokesperson confirmed to eWEEK that attackers used this security flaw to compromise Gmail accounts. These attacks are different from the ones Google disclosed recently which compromised high-profile Gmail accounts and are believed to have originated from China. Those attacks have been active since at least February and did not rely on an exploit to steal passwords.

A video of how a malicious Flash file could be used to compromise users via a Gmail inbox was posted by Steven Millward on the Asian Tech site Penn-Olson on June 3. The video (narrated in Chinese) shows a specially crafted Flash file that can inject a spying forwarding address into the user's Gmail account settings, according to Millward.

The user is encouraged to click on a certain link in a "dodgy" email, such as a personal blog hosted on a popular platform, which redirects the user to a site with the rogue Flash file, Millward said. The user doesn't see anything load, but the f.swf Flash file had already executed the commands to add a forwarding address to the user's email address, giving attackers full access to the user's communications without even bothering to steal a password. In the video, the user was logged into Gmail, which allowed the Flash file to access the site.

The vulnerability (CVE-2011-2107) exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe said in its advisory. Adobe Flash Player and earlier are affected for Android, but a fix will not be available until later in the week, according to Adobe. Google has already pushed out an update for the embedded Flash Player inside its Chrome Web browser to 11.0.696.77. The update should download automatically and be installed when the browser is restarted. Google updated the stable, beta and dev versions of Chrome.

Adobe is still investigating whether the Authplay.dll linked library in Adobe Reader and Acrobat also contains the cross-site scripting flaw. There are no current attacks exploiting the flaw targeting Reader or Acrobat at this time, according to the company.

Adobe rated this vulnerability as "important," meaning it could compromise data security, potentially allow attackers access to confidential data, and could compromise processing resources in the user's computer.

"It doesn't matter if you run Windows, Mac, Linux, Solaris or even Android ... if Adobe goes public about a security vulnerability in its Flash product, you better install the patch to protect against the problem," Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.

Editor's note: This story was updated to differentiate between the China-based Gmail phishing attacks and the attacks using the Flash exploit.