Adobe today confirmed that the Flash Player bug
it patched Sunday is being used to steal login credentials of Google's
Gmail users.
The vulnerability was patched yesterday in an "out-of-band," or
emergency update. The fix was the second in less than four weeks for
Flash, and the fifth this year. A weekend patch is very unusual for
Adobe.
"We have reports that this vulnerability is being exploited in the
wild in active targeted attacks designed to trick the user into clicking
on a malicious link delivered in an email message," said Adobe
spokeswoman Wiebke Lips in response to questions today. "The reports we
received indicate that the current attacks are targeting Gmail
specifically. However, we cannot assume that other Web mail providers
may not be targeted as well."
According to Adobe's advisory, the Flash vulnerability is a cross-site scripting bug.
Cross-site scripting flaws are often used by identity thieves to
hijack usernames and passwords from vulnerable browsers. In this case,
browsers themselves are not targeted; rather, attackers are exploiting
the Flash Player browser plug-in, which virtually every user has
installed.
Adobe said that Google reported the Flash Player flaw to its security team.
Targeted attacks that try to steal account information are
commonplace, but they've been prominent in the news since last
Wednesday, when Google accused Chinese hackers of targeting senior U.S. government officials and others in a long-running campaign to pilfer Gmail usernames and passwords.
China has denied Google's allegations. The Federal Bureau of Investigation (FBI) is looking into Google's charges.
The attacks aimed at stealing Gmail account information using the
Flash Player vulnerability, however, are different than those Google
acknowledged last week. Those attacks, which have been active since at
least February, did not rely on an exploit, and instead duped victims
into entering their username and password on a fake Gmail login screen.
Adobe updated the Windows, Mac OS X and Linux versions of Flash
Player Sunday, and said it would follow that with a patch for the
Android edition sometime this week.
Google, which bundles Flash Player with Chrome, also updated its browser
on Sunday, refreshing all three of its distribution channels -- stable,
beta and dev -- to include the patched version of Flash.
Adobe rated the bug as "important," the second-highest ranking in its
four-step threat scoring system. In Adobe's scheme, that rating
indicates that attackers may be able to access data on the victimized
computer, but cannot plant malware on the machine.
Although most Flash vulnerabilities can also be exploited using
specially-crafted PDF documents -- Adobe's Reader includes a component
named "authplay.dll" that renders Flash content in PDFs -- Adobe said it
wasn't sure whether its popular Reader contained the flaw.
"Adobe is still investigating the impact to the Authplay.dll
component," the company's advisory stated. "Adobe is not aware of any
attacks targeting Adobe Reader or Acrobat in the wild."
While Adobe did not say whether Reader -- and the for-a-fee Acrobat
-- will be patched, the programs are slated for an update June 14 to fix
other flaws the company has previously acknowledged in authplay.dll.
Users running browsers other than Chrome can download the patched version of Flash Player from Adobe's site.
0 comments:
Post a Comment