Flash Zero-Day Used In Targeted Email Attacks

Rare universal XSS attack campaign aimed at taking over Webmail accounts

Dark Reading logo in a gray background | Dark Reading

A dangerous zero-day Flash attack revealed yesterday by Adobe patched along with other flaws in the application is the dreaded and relatively rare universal cross-site scripting (XSS) threat. The vulnerability was spotted being exploited in the wild in targeted, email-based attacks.

Universal XSS attacks spread via browsers or plug-ins, so they can affect any website, regardless of whether it harbors inherent XSS flaws. Adobe's patch for the flaw was issued late yesterday, one day after it had issued updates for Acrobat and Reader in its regularly scheduled patch release.

It was Google that spotted targeted, email-based attacks using the previously unknown Flash bug -- CVE-2012-0767 -- but only affecting Internet Explorer running on Windows, according to Adobe. The fix for the Flash universal XSS bug was part of an overall Flash update issued yesterday by Adobe.

"This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only)," according to Adobe's security alert.

Adobe also said it doesn't know of any other exploits in the wild for the flaw.

"Universal XSSes are rare enough, but a zero-day floating around targeted attacks -- wow," says Jeremiah Grossman, CTO for WhiteHat Security. Grossman says the attack could be for email account hijacking. "Or maybe Web worm propagation, but I doubt it."

[ New study shows directory traversal, XSS most common attacks, not SQL injection. See Websites Are Attacked Once Every Two Minutes. ]

Ryan Barnett, senior security researcher for Trustwave, says it sounds a like a cyberespionage-type attack trying to remain under the radar, rather than the typical worm-like nature of such an attack. He surmises that the attackers are using it for listening in on Gmail conversations. The attack would go something like this: When a user logs into his Webmail account, he receives a phishing email with a lure to a URL. If he clicks on the URL, it then downloads the exploit if his Adobe Flash browser plug-in isn't updated with the new patch.

"The end goal is to read emails," Barnett says. He says two-factor authentication in Gmail would protect against the attack, however.

The attack also appears to be a combination of XSS and cross-site request forgery (CSRF), he says. "Most attacks I see aren't necessarily fitting into one category or other. Most are blended," Barnett says.

XSS flaws are some of the most common in websites. When exploited, they allow an attacker to inject malicious scripts onto a website, and can be used to alter the contents of the website or steal information from a user who visits the site.

Adobe's security update affects vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x; and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. If exploited, the vulnerabilities could allow an attacker to crash and take over the victim's machine.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights