Skip to content Skip to footer

Exotic XSS bug in Adobe Flash controlled users’ Web accounts

Adobe has plugged a hole in its ubiquitous Flash media player that attackers were exploiting to control services such as webmail accessed by end users.

The universal XSS, or cross-site scripting, vulnerability is present in all versions of Flash, but was only being actively exploited in versions that worked with Microsoft’s Internet Explorer browser. In a security bulletin, Adobe credited Google for discovery of the bug and warned it “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.” Representatives with Adobe and Google didn’t elaborate on the in-the-wild attacks or the underlying bug, except for an Adobe spokeswoman saying Google first reported it on February 10.

Security researchers, meanwhile, said the squashed bug was exotic.

“They’re kind of rare and they’re extremely powerful, so now you’re talking about an 0-day cross-site scripting flaw being used in the wild, which can really only be useful for account takeovers,” said Jeremiah Grossman, a Web security expert and the CTO of WhiteHat Security. “For an attacker to find one and use it in the wild, that’s the first I’ve ever heard of.”

Most XSS vulnerabilities are the result of coding errors on a specific website. A universal XSS, by contrast, stems from bugs present in browsers or plugins and can be exploited as they access multiple sites. Besides its zero-day status as a vulnerability—meaning it was fixed only after it was under attack—the Flash bug is noteworthy because it affects software that is installed on a majority of the world’s computers. What’s more, universal XSS vulnerabilities typically give an attacker the ability to run custom-written JavaScript in a victim’s browser that can steal authentication cookies used to log into private accounts and take similar actions, such as send spam or messages to all addresses contained in an address book.

Over the past few years, Adobe has worked hard to improve the security of its Acrobat, Reader, and Flash applications, which are available for Windows, Mac OS X, and Linux operating systems and installed on millions of machines. In 2010, the software maker released a Windows version of Reader that included a security sandbox that isolated the document viewer from sensitive OS functions, such as the changing of registry settings and the writing or modification of crucial files. That same year, Adobe Flash for Google Chrome added similar protection. Last week, Adobe released a beta version of Flash for Firefox when running on Windows Vista and Windows 7 and has said similar protection will be coming to the IE version of Flash soon.

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

“Adobe and Google, when they create their sandboxes, they’re designing them to stop memory corruption vulnerabilities,” Chris Rohlf of Leaf Security Research told Ars. “To their credit, the sandboxes do a good job of stopping memory corruption vulnerabilities, but they’re simply not designed to stop these sorts of things.”

An updated version of Flash, which includes fixes for several other vulnerabilities Adobe rated as critical, is available here.

Go to Top