Adobe has released an emergency fix for a bug in Flash Player that is being used to try to trick Gmail users into clicking on a malicious link in an e-mail message in order to forward e-mail messages to an attacker's account, an Adobe spokeswoman said today.
"The user receives an email and is tricked into clicking on a malicious link. When the user is logged on to a Gmail session and visits the site, this new (attacker's) forwarding address has been added to the user's account," because Gmail enables you to forward e-mails automatically and grant others access to the account, spokeswoman Wiebke Lips wrote in an e-mail describing how the exploit has been used in attacks.
The reported attacks, which did not involve using stolen passwords, could affect any Web-based e-mail service and be used in different types of attacks. Basically, an unpatched Flash Player could be exploited to allow an attacker to take any actions on a user's behalf on any Web site or Web e-mail provider, according to Google.
"As always with these types of attacks, keep in mind though that it is possible that there are other variations we just haven't seen yet--including variations that may not even involve a Flash Player vulnerability," she said. In addition, it's possible that the attacks are not limited to Gmail users and could be targeting people using other Web-based e-mail services, Lips added.
"This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website," Adobe said in its advisory issued yesterday.
Google, which had reported the flaw to Adobe, also updated the Flash Player software that comes bundled in the Chrome browser.
"We have implemented measures to help protect Gmail users, and we have released updates for the Beta and Stable channels of Chrome to incorporate the fix provided by Adobe," a Google spokesman said in a statement.
Adobe's patch, released yesterday, fixes the "important" bug in Adobe Flash Player 10.3.181.16 and earlier for Windows, Mac, Linux, and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android, according to the advisory.
Meanwhile, Adobe said it is still investigating the impact to the Authplay.dll component, which renders Flash content into PDF format and ships with Adobe Reader and Acrobat.
Updated at 1:41 p.m. PT to correct that stolen passwords were not involved in the attacks as was initially reported by Adobe, and at 12:20 p.m. PT and 11:58 a.m. PT with more details on attack method.