Flash Zero-Day Used In Targeted Email Attacks

Rare universal XSS attack campaign aimed at taking over Webmail accounts

A dangerous zero-day Flash attack revealed yesterday by Adobe patched along with other flaws in the application is the dreaded and relatively rare universal cross-site scripting (XSS) threat. The vulnerability was spotted being exploited in the wild in targeted, email-based attacks.
Universal XSS attacks spread via browsers or plug-ins, so they can affect any website, regardless of whether it harbors inherent XSS flaws. Adobes patch for the flaw was issued late yesterday, one day after it had issued updates for Acrobat and Reader in its regularly scheduled patch release.
It was Google that spotted targeted, email-based attacks using the previously unknown Flash bug -- CVE-2012-0767 -- but only affecting Internet Explorer running on Windows, according to Adobe. The fix for the Flash universal XSS bug was part of an overall Flash update issued yesterday by Adobe.
This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a users behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only), according to Adobes security alert.
Adobe also said it doesnt know of any other exploits in the wild for the flaw.
Universal XSSes are rare enough, but a zero-day floating around targeted attacks -- wow, says Jeremiah Grossman, CTO for WhiteHat Security. Grossman says the attack could be for email account hijacking. Or maybe Web worm propagation, but I doubt it.
[ New study shows directory traversal, XSS most common attacks, not SQL injection. See
Websites Are Attacked Once Every Two Minutes
. ]
Ryan Barnett, senior security researcher for Trustwave, says it sounds a like a cyberespionage-type attack trying to remain under the radar, rather than the typical worm-like nature of such an attack. He surmises that the attackers are using it for listening in on Gmail conversations. The attack would go something like this: When a user logs into his Webmail account, he receives a phishing email with a lure to a URL. If he clicks on the URL, it then downloads the exploit if his Adobe Flash browser plug-in isnt updated with the new patch.
The end goal is to read emails, Barnett says. He says two-factor authentication in Gmail would protect against the attack, however.
The attack also appears to be a combination of XSS and cross-site request forgery (CSRF), he says. Most attacks I see arent necessarily fitting into one category or other. Most are blended, Barnett says.
XSS flaws are some of the most common in websites. When exploited, they allow an attacker to inject malicious scripts onto a website, and can be used to alter the contents of the website or steal information from a user who visits the site.
Adobes
security update
affects vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x; and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. If exploited, the vulnerabilities could allow an attacker to crash and take over the victims machine.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Flash Zero-Day Used In Targeted Email Attacks