Adobe Fixes Flash Flaw Utilised In Gmail Hack

Adobe has patched a cross-site scripting vulnerability in its Flash Player that is already being exploited in drive-by download attacks.

Adobe released the out-of-cycle update for Flash addressing the security flaw on 5 June.

The company found out about the bug on 3 June and managed to develop and release a patch over the weekend. The patch fixes Flash on Windows, Mac OS X , Android, Linux and Solaris.

Gmail Hack

If a user clicks on a malicious link or visits a rogue website, the Flash vulnerability kicks in and takes action without explicit user authorisation. Adobe said the attacks could be used to impersonate a user on various sites, including web-based email services and financial websites.

“There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe said. An Adobe spokesperson confirmed to eWEEK that the recent attacks, which are believed to have originated from China, used this security flaw to compromise high-profile Gmail accounts.

A video of how a malicious Flash file could be used to compromise users via a Gmail inbox was posted by Steven Millward on the Asian Tech site Penn-Olson on 3 June. The video (narrated in Chinese) shows a specially crafted Flash file that can inject a spying forwarding address into the user’s Gmail account settings, according to Millward.

The user is encouraged to click on a certain link in a “dodgy” email, such as a personal blog hosted on a popular platform, which redirects the user to a site with the rogue Flash file, Millward said. The user doesn’t see anything load, but the f.swf Flash file had already executed the commands to add a forwarding address to the user’s email address, giving attackers full access to the user’s communications without even bothering to steal a password. In the video, the user was logged into Gmail, which allowed the Flash file to access the site.

The vulnerability (CVE-2011-2107) exists in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe said in its advisory. Adobe Flash Player 10.3.185.22 and earlier are affected for Android, but a fix will not be available until later in the week, according to Adobe.

Google has already pushed out an update for the embedded Flash Player inside its Chrome web browser to 11.0.696.77. The update should download automatically and be installed when the browser is restarted. Google updated the stable, beta and dev versions of Chrome.

Patch It

Adobe is still investigating whether the Authplay.dll linked library in Adobe Reader and Acrobat also contains the cross-site scripting flaw. There are no current attacks exploiting the flaw targeting Reader or Acrobat at this time, according to the company.

Adobe rated this vulnerability as “important,” meaning it could compromise data security, potentially allow attackers access to confidential data, and could compromise processing resources in the user’s computer.

“It doesn’t matter if you run Windows, Mac, Linux, Solaris or even Android … if Adobe goes public about a security vulnerability in its Flash product, you better install the patch to protect against the problem,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.