ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Hackers exploiting Flash Player XSS vulnerability

By | June 6, 2011, 10:15am PDT

Summary: Adobe releases a Flash Player update in response to reports that a cross-site scripting vulnerability is being exploited in the wild in active targeted attacks.

Adobe has released another Flash Player update to fix a serious security vulnerability that could expose Windows, Mac OS X, Linux and Solaris users to cross-site scripting attacks.

“This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website,” Adobe warned in an advisory.

The release of this Flash Player patch follows reports that the vulnerability is being exploited in the wild in active targeted attacks.

In the targeted attacks, Adobe said users are being tricked into clicking on a malicious link delivered in an email message.follow Ryan Naraine on twitter

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe expects to make available an update for Flash Player 10.3.185.22 for Android during the week of June 6, 2011.

The company said it is still investigating the impact to the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Adobe Flash, Adobe Flash Player, Sun Solaris, Linux, Microsoft Windows, Operating Systems, UNIX, Desktops, Servers, Software, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
30
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Hackers exploiting Flash Player XSS vulnerability
lovedong 12th Sep
Thanks a lot for your sharing. chanel bags
View in thread
0 Votes
+ -
Linux is safe
Linux Geek 6th Jun
it's only a windoze & machinto$h issue
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
1773 6th Jun
@Linux Geek Learn to read my resident jester, learn to read !!!
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
Den2010 6th Jun
@Linux Geek

Of course it is - there are too few Linux users to be counted in this context... BTW, the bulletin quoted from Adobe specifically states "Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update..." to the latest version. Dream on, dream on...
0 Votes
+ -
DOH! Better get those glasses updated.
geekybryan@... 6th Jun
@Linux Geek if you read the post above, it says that Adobe recommends updating for Windows, Mac, Linux, Solaris, etc. So, guess it's a universal problem. Just because it can't run as system software doesn't mean it's not a problem!
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
WinTard 6th Jun
@Linux Geek

Sad that more and more clueless Linux users are becoming PEBKAC weak links just like you.

https://encrypted.google.com/#hl=en&q=pebkac

~~~~~~~~~~
Art, like morality, consists of drawing the line somewhere.
~ G.K. Chesterton
0 Votes
+ -
Only because it's just been patched.
Zogg 6th Jun
@Linux Geek
The update appeared in the repository this evening, and you're only safe if you've installed it already. Or uninstalled Flash entirely, I suppose.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
shellcodes_coder 7th Jun
@Linux Geek
You are such an ignorant troll aren't you.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
snoop0x7b 7th Jun
@Linux Geek Not true. Applies to all versions of flash. Plus XSS is a browser level exploit.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
ddferrari 7th Jun
@Linux Geek You must be a devil with the ladies... "Hi, I'm LG. Do you use Linux? I use Linux. Everyone needs to have a relationship with our savior, Linux. Wanna come to my Linux party this Friday? It's just me and my keyboard, but, you know...".

Strive to have more in your life than just your OS and keyboard.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
lovedong 12th Sep
Thank you so much for your sharing. chanel bags
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
lovedong 12th Sep
Thanks a lot for your sharing. chanel bags
0 Votes
+ -
Wow, can we just dump Flash already?
croberts 6th Jun
Seriously.... what a bloated piece of crapware on all platforms.

I give full credit to MS for making Silverlight, and full credit to Apple for telling Adobe to buzz off.

Now.... all we need is silverlight to work everywhere...
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
WinTard 6th Jun
@croberts

Silverlight already does... On PS3, Xbox, iPhone, iPad, and Android. Anybody using Netflix? Cuz, it's based on Microsoft's Silverlight.

Proof? https://encrypted.google.com/#hl=en&q=netflix+uses+silverlight

~~~~~~~~~~
The true civilization is where every man gives to every other every right that he claims for himself.
~ Robert Ingersoll, 1833-1899
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
winky the barbarian 6th Jun
@WinTard
As far as I know Silverlight won't work on sites like Youtube, and until it does, it won't replace the craptastic Flash POS.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
shellcodes_coder 7th Jun
@croberts

Nah we don't need another proprietary crap from Microsoft. HTML5 is the future, not silverlight or flash
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
pc_techs_ct@... 7th Jun
@shellcodes_coder spot on.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
Jesster 7th Jun
@shellcodes_coder

Like I said in an earlier post. Apple has software on their app store for $39.95 drag & drop HTML5, plus if you can actually program, it allows you to add extra code.
0 Votes
+ -
not on Linux...
pgit 7th Jun
@croberts To run silverlight on Linux you have to install a crap load of dependencies under the heading "mono." If you scroogle that up you'll see reports of horrific bugginess, resource hogging, and raging debates on the use of non-"free" code in the Linux environment.

Mono crapped up a test unit I had so bad it was easier to reinstall than try to rip it's moldy tentacles out of the system.

I've never gotten silverlight to work anything close to acceptable on Linux, and as they say: "go figure." HTML5 works wonderfully. I agree that's the way to go into the future, except they need a "Manhattan project" to get the thing off the drawing boards...
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
cwt001 6th Jun
Cross site scripting is not an attack on the platform. It's an attack on the browser and server so no OS is safe/unsafe because no OS is directly attacked. Of course, that's not going to help you any if an attacker gains your passwords and/or other sensitive information!

This is a Flash problem but it's also a problem that many web developers are not programmers. Their reliance on products like Flash is itself a huge security problem.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
bannedagain Updated - 7th Jun
@cwt001

iOS has no Flash, therefore iOS is safe.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
snoop0x7b 7th Jun
@bannedagain Uh... No. It's safe from THIS particular XSS attack, but not safe from XSS attacks in general.
0 Votes
+ -
Flash !!!
archangel9999 6th Jun
Ah Flash, the ultimate Trojan - Adobe software should be banned from all computers - it's some of the worst software out there
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
cybr2th@... 7th Jun
@archangel9999 Never had a problem with it personally. All software has bugs.
Name me 1 piece of software, operation systems included, that has never had 1 patch...didnt think so.
FUD
0 Votes
+ -
It isn't great, but the all time winner is Apple's Quicktime
BobsYourUnclw Updated - 7th Jun
@archangel9999
No other discrete program has enabled more virus', trojans and malware. It is, seriously, a security exploit mechanism that plays media on the side. The last time I checked, to verify, which was a few months ago, 119 zero day vulnerabilities and over 200 critical fixes over 2 years posted right here in this very blog.

For a program to compete with the old ActiveX in terms of exploitable, that is saying something.

Quicktime should STILL be banned and scrapped, there will be a few more zero day exploits posted here at ZDNet concerning QT.

Ed has a good writeup on how to remove QT but still be able to use iTunes. He didn't do that because it wasn't needed, so people who post from glass houses shouldn't throw rocks.

And for the record, except that it is needed for a complete web experience, flash needs serious optimization and security overhaul.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
shellcodes_coder 7th Jun
This is the reason I don't have flash installed. Of course Chrome does come with flash player but it's disabled on my system. Safest way to go--dump security nightmare flash happy
0 Votes
+ -
ff
freaknout Updated - 7th Jun
dup sorry
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
freaknout 7th Jun
or you can use the flash block add on for firefox
0 Votes
+ -
noscript, even better...
pgit 7th Jun
@freaknout Flash block is nice, but I prefer the more shotgun approach of noscript...
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
shellcodes_coder 7th Jun
@freaknout
You can disable flash w/o any add-on on Firefox and Chrome.
0 Votes
+ -
RE: Hackers exploiting Flash Player XSS vulnerability
Jesster 7th Jun
Apple has been saying (along with MS) that HTML 5 will have the same capabilities as Flash and will be free to use. On the Apple app store last week they were advertising drag & drop website creation software (yes you can do your own programming if your able, but don't need to for simple sites) that utilizes HTML5. The cost was $39.95.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix