Adobe has patched a cross-site scripting vulnerability in its Flash Player that is already being exploited in drive-by download attacks.
Adobe released the out-of-cycle update for Flash addressing the security flaw on 5 June.
The company found out about the bug on 3 June and managed to develop and release a patch over the weekend. The patch fixes Flash on Windows, Mac OS X , Android, Linux and Solaris.
If a user clicks on a malicious link or visits a rogue website, the Flash vulnerability kicks in and takes action without explicit user authorisation. Adobe said the attacks could be used to impersonate a user on various sites, including web-based email services and financial websites.
A video of how a malicious Flash file could be used to compromise users via a Gmail inbox was posted by Steven Millward on the Asian Tech site Penn-Olson on 3 June. The video (narrated in Chinese) shows a specially crafted Flash file that can inject a spying forwarding address into the user’s Gmail account settings, according to Millward.
The user is encouraged to click on a certain link in a “dodgy” email, such as a personal blog hosted on a popular platform, which redirects the user to a site with the rogue Flash file, Millward said. The user doesn’t see anything load, but the f.swf Flash file had already executed the commands to add a forwarding address to the user’s email address, giving attackers full access to the user’s communications without even bothering to steal a password. In the video, the user was logged into Gmail, which allowed the Flash file to access the site.
The vulnerability (CVE-2011-2107) exists in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe said in its advisory. Adobe Flash Player 10.3.185.22 and earlier are affected for Android, but a fix will not be available until later in the week, according to Adobe.
Google has already pushed out an update for the embedded Flash Player inside its Chrome web browser to 11.0.696.77. The update should download automatically and be installed when the browser is restarted. Google updated the stable, beta and dev versions of Chrome.
Adobe is still investigating whether the Authplay.dll linked library in Adobe Reader and Acrobat also contains the cross-site scripting flaw. There are no current attacks exploiting the flaw targeting Reader or Acrobat at this time, according to the company.
Adobe rated this vulnerability as “important,” meaning it could compromise data security, potentially allow attackers access to confidential data, and could compromise processing resources in the user’s computer.
“It doesn’t matter if you run Windows, Mac, Linux, Solaris or even Android … if Adobe goes public about a security vulnerability in its Flash product, you better install the patch to protect against the problem,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.
Anthropic confirms Memorandum of Understanding (MOU) signed with UK government to explore use of AI…
British chip designer ARM Holdings is reportedly developing its own chip, and Meta is one…
TikTok returns to app stores of both Apple and Google in the United States, after…
After huge fine, Meta launches 'Facebook Marketplace Partner Program' so rival service providers can list…
New research from Freshwave finds a better mobile signal indoors could grow the UK economy…
Elon Musk says he will abandon $97.4 billion offer to buy the non-profit behind OpenAI…