Adobe has patched a cross-site scripting vulnerability in its Flash Player that is already being exploited in drive-by download attacks.
Adobe released the out-of-cycle update for Flash addressing the security flaw on 5 June.
The company found out about the bug on 3 June and managed to develop and release a patch over the weekend. The patch fixes Flash on Windows, Mac OS X , Android, Linux and Solaris.
If a user clicks on a malicious link or visits a rogue website, the Flash vulnerability kicks in and takes action without explicit user authorisation. Adobe said the attacks could be used to impersonate a user on various sites, including web-based email services and financial websites.
A video of how a malicious Flash file could be used to compromise users via a Gmail inbox was posted by Steven Millward on the Asian Tech site Penn-Olson on 3 June. The video (narrated in Chinese) shows a specially crafted Flash file that can inject a spying forwarding address into the user’s Gmail account settings, according to Millward.
The user is encouraged to click on a certain link in a “dodgy” email, such as a personal blog hosted on a popular platform, which redirects the user to a site with the rogue Flash file, Millward said. The user doesn’t see anything load, but the f.swf Flash file had already executed the commands to add a forwarding address to the user’s email address, giving attackers full access to the user’s communications without even bothering to steal a password. In the video, the user was logged into Gmail, which allowed the Flash file to access the site.
The vulnerability (CVE-2011-2107) exists in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe said in its advisory. Adobe Flash Player 10.3.185.22 and earlier are affected for Android, but a fix will not be available until later in the week, according to Adobe.
Google has already pushed out an update for the embedded Flash Player inside its Chrome web browser to 11.0.696.77. The update should download automatically and be installed when the browser is restarted. Google updated the stable, beta and dev versions of Chrome.
Adobe is still investigating whether the Authplay.dll linked library in Adobe Reader and Acrobat also contains the cross-site scripting flaw. There are no current attacks exploiting the flaw targeting Reader or Acrobat at this time, according to the company.
Adobe rated this vulnerability as “important,” meaning it could compromise data security, potentially allow attackers access to confidential data, and could compromise processing resources in the user’s computer.
“It doesn’t matter if you run Windows, Mac, Linux, Solaris or even Android … if Adobe goes public about a security vulnerability in its Flash product, you better install the patch to protect against the problem,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…