"There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," according to Adobe's security bulletin.
The bug involves a cross-site scripting vulnerability, which "could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website," said Adobe. It rates the Flash vulnerability as "important," meaning that if exploited, the bug "would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer."
While Adobe didn't detail the exact nature of the bug, information security services provider SecurityFocus released an advisory warning that a successful attack "may allow the attacker to steal cookie-based authentication credentials and to launch other attacks."
The flaw affects Adobe Flash Player 10.3.181.16 (and earlier versions) for Windows, Macintosh, Linux, and Solaris, as well as Adobe Flash Player 10.3.185.22 (and earlier versions) for Android. Adobe "recommends users apply the updates for their product installations." Google, meanwhile, on Friday pushed a Chrome browser update that includes the patch.
Adobe cautioned that Reader and Acrobat users may also be at risk from the flaw. At the moment, Adobe is investigating whether the flaw also affects the Authplay.dll component that's part of Adobe Reader and Acrobat X (10.0.2), as well as all 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Mac OS X. According to a statement released by the company, "Adobe is not aware of any attacks targeting Adobe Reader or Acrobat in the wild."
Adobe's new patch follows last month's Flash Player update, which fixed 12 vulnerabilities, many of which attackers could remotely exploit to access a user's system or steal data.
The new Adobe Flash flaw is the latest in a string of recently discovered bugs that enable attackers to steal website cookie-based authentication credentials. Last month, for example, a security researcher demonstrated a cookiejacking attack that works against all versions of Internet Explorer. The attack steals people's website login credentials by tricking them into using drag-and-drop functionality. Microsoft has downplayed the vulnerability, although a fix is rumored to be in the works.
Also last month, a different security researcher warned that attackers could intercept LinkedIn credentials via a man-in-the-middle attack, which would allow an attacker to impersonate the targeted user on LinkedIn. In response, LinkedIn said it will set its cookie authentication credentials to expire after three months, instead of the previous 12 months. But until LinkedIn updates its website to encrypt all sessions via SSL, it has recommended that users avoid using unsecured hotspots to access their LinkedIn accounts.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.