Tuesday, June 7, 2011

Hackers Exploit Flash Bug in New Attacks Against Gmail Users

Via CSO Online -

Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users.

The vulnerability was patched yesterday in an "out-of-band," or emergency update. The fix was the second in less than four weeks for Flash, and the fifth this year. A weekend patch is very unusual for Adobe.

"We have reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," said Adobe spokeswoman Wiebke Lips in response to questions today. "The reports we received indicate that the current attacks are targeting Gmail specifically. However, we cannot assume that other Web mail providers may not be targeted as well."

According to Adobe's advisory, the Flash vulnerability is a cross-site scripting bug.

Cross-site scripting flaws are often used by identity thieves to hijack usernames and passwords from vulnerable browsers. In this case, browsers themselves are not targeted; rather, attackers are exploiting the Flash Player browser plug-in, which virtually every user has installed.

Adobe said that Google reported the Flash Player flaw to its security team.

Targeted attacks that try to steal account information are commonplace, but they've been prominent in the news since last Wednesday, when Google accused Chinese hackers of targeting senior U.S. government officials and others in a long-running campaign to pilfer Gmail usernames and passwords.

China has denied Google's allegations. The Federal Bureau of Investigation (FBI) is looking into Google's charges.


Adobe recommends users of Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player ( for ActiveX / IE).

Verify Your Flash Player Version
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

No comments:

Post a Comment