A dangerous zero-day Flash attack revealed yesterday by Adobe patched along with other flaws in the application is the dreaded and relatively rare universal cross-site scripting (XSS) threat. The vulnerability was spotted being exploited in the wild in targeted, email-based attacks.
Universal XSS attacks spread via browsers or plug-ins, so they can affect any website, regardless of whether it harbors inherent XSS flaws. Adobe’s patch for the flaw was issued late yesterday, one day after it had issued updates for Acrobat and Reader in its regularly scheduled patch release.
It was Google that spotted targeted, email-based attacks using the previously unknown Flash bug — CVE-2012-0767 — but only affecting Internet Explorer running on Windows, according to Adobe. The fix for the Flash universal XSS bug was part of an overall Flash update issued yesterday by Adobe.
“This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only),” according to Adobe’s security alert.
Adobe also said it doesn’t know of any other exploits in the wild for the flaw.
“Universal XSSes are rare enough, but a zero-day floating around targeted attacks — wow,” says Jeremiah Grossman, CTO for WhiteHat Security. Grossman says the attack could be for email account hijacking. “Or maybe Web worm propagation, but I doubt it.”
[ New study shows directory traversal, XSS most common attacks, not SQL injection. See Websites Are Attacked Once Every Two Minutes. ]
Ryan Barnett, senior security researcher for Trustwave, says it sounds a like a cyberespionage-type attack trying to remain under the radar, rather than the typical worm-like nature of such an attack. He surmises that the attackers are using it for listening in on Gmail conversations. The attack would go something like this: When a user logs into his Webmail account, he receives a phishing email with a lure to a URL. If he clicks on the URL, it then downloads the exploit if his Adobe Flash browser plug-in isn’t updated with the new patch.
“The end goal is to read emails,” Barnett says. He says two-factor authentication in Gmail would protect against the attack, however.
The attack also appears to be a combination of XSS and cross-site request forgery (CSRF), he says. “Most attacks I see aren’t necessarily fitting into one category or other. Most are blended,” Barnett says.
XSS flaws are some of the most common in websites. When exploited, they allow an attacker to inject malicious scripts onto a website, and can be used to alter the contents of the website or steal information from a user who visits the site.
Adobe’s security update affects vulnerabilities in Adobe Flash Player 184.108.40.206 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x; and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x. If exploited, the vulnerabilities could allow an attacker to crash and take over the victim’s machine.