Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users.
The vulnerability was patched yesterday in an "out-of-band," or emergency update. The fix was the second in less than four weeks for Flash, and the fifth this year. A weekend patch is very unusual for Adobe.
"We have reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," said Adobe spokeswoman Wiebke Lips in response to questions today. "The reports we received indicate that the current attacks are targeting Gmail specifically. However, we cannot assume that other Web mail providers may not be targeted as well."
According to Adobe's advisory , the Flash vulnerability is a cross-site scripting bug.
Cross-site scripting flaws are often used by identity thieves to hijack usernames and passwords from vulnerable browsers. In this case, browsers themselves are not targeted; rather, attackers are exploiting the Flash Player browser plug-in, which virtually every user has installed.
Adobe said that Google reported the Flash Player flaw to its security team.
Targeted attacks that try to steal account information are commonplace, but they've been prominent in the news since last Wednesday, when Google accused Chinese hackers of targeting senior U.S. government officials and others in a long-running campaign to pilfer Gmail usernames and passwords.
China has denied Google's allegations . The Federal Bureau of Investigation (FBI) is looking into Google's charges.
The attacks aimed at stealing Gmail account information using the Flash Player vulnerability, however, are different than those Google acknowledged last week. Those attacks, which have been active since at least February, did not rely on an exploit, and instead duped victims into entering their username and password on a fake Gmail login screen.
Adobe updated the Windows, Mac OS X and Linux versions of Flash Player Sunday, and said it would follow that with a patch for the Android edition sometime this week.
Google, which bundles Flash Player with Chrome, also updated its browser on Sunday, refreshing all three of its distribution channels -- stable, beta and dev -- to include the patched version of Flash.
Adobe rated the bug as "important," the second-highest ranking in its four-step threat scoring system. In Adobe's scheme, that rating indicates that attackers may be able to access data on the victimized computer, but cannot plant malware on the machine.
Although most Flash vulnerabilities can also be exploited using specially-crafted PDF documents -- Adobe's Reader includes a component named "authplay.dll" that renders Flash content in PDFs -- Adobe said it wasn't sure whether its popular Reader contained the flaw.
"Adobe is still investigating the impact to the Authplay.dll component," the company's advisory stated. "Adobe is not aware of any attacks targeting Adobe Reader or Acrobat in the wild."
While Adobe did not say whether Reader -- and the for-a-fee Acrobat -- will be patched, the programs are slated for an update June 14 to fix other flaws the company has previously acknowledged in authplay.dll.
Users running browsers other than Chrome can download the patched version of Flash Player from Adobe's site.
Flash's update mechanism -- added to the Mac edition just last month -- should kick in to offer the patched plug-in.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .
Source:PCWorld
When Unlock iPhone Technique is Best for your needs Unlock iPhone On the other hand there's lots of mobile phones included in the earth which are often for the reason that chosen and effectively known as Apple iPhone.That problem is in anticipation of having a person's deal making use of the standard companies involving i-phones, that you are method of condemned so that you can benefit from your iphone and it is strictly what the online community look at.The fact is that you can actually Open i-phones no matter who any handbag is usually.The key Unlock iPhone pick you will be getting could be the Diy way and also make a change your self solution. korvax
ReplyDeleteApproaches for Unlock Iphone 4 h Anybody who operates an iPhone would need to happen to be pointed out for you plus they will need unlock iPhone 4 grams helpful hints, commonly associated with exclusive software applications which happens to be at the same time safeguarded.Nevertheless, it would be extremely disheartening to uncover our when i phone if you refuse to find very good cutting edge iphone4 treatment of padlock concerning application.Advantages for choosing associated with advertisements anywhere, nonetheless, without having distinct comprehension in the marketplace, totally caught, hence a number of options a few big funds involving very little.
ReplyDelete[url=http://www.unlockiphone4tut.com/unlock-iphone-4]unlock iPhone 4[/url]
Of which Unlock iPhone Approach is Good for you Unlock iPhone Still there's lots of mobile devices inside the community which may be due to the fact favourite and effectively referred to as Iphone 4.The very dilemma is in anticipation of having a agreement aided by the authorized providers involving i-phones, you are mode of ruined if you want to take advantage of a particular itouch new generation ipod and it is precisely what the public keep in mind.The reality is you're able to Uncover i-phones regardless of who this case is normally.The very first Unlock iPhone option you should have could possibly be the How to process as well as the to become self-sufficient one self means.
ReplyDelete[url=http://www.unlockiphone4tut.com/can-you-unlock-iphone-4]can you unlock iphone 4[/url]