Reported by Huzaifa S. Sidhpurwala.
That vulnerability shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.
Vulnerability details
Advisory: SB2011092101 - Multiple vulnerabilities in Adobe Flash Player
Vulnerable component: Adobe Flash Player
CVE-ID: CVE-2011-2444
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description:
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-input passed via a crafted URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited in click-jacking campaigns.
External links:
https://googlechromereleases.blogspot.com/2011/09/stable-channel-update_20.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
http://www.techcentral.ie/adobe-patches-critical-flash-bug/
http://energy.gov/cio/articles/t-723adobe-flash-player-multiple-bugs-let-remote-users-obtain-informa...
http://www.macworld.co.uk/news/mac-software/adobe-patches-flash-bug-hackers-are-already-exploiting-3...
http://www.infosecisland.com/blogview/16669-Adobe-Issues-Patch-for-Flash-Zero-Day-Vulnerability.html
http://www.simmtester.com/page/news/shownews.asp?num=14190
http://blogs.utpa.edu/infosecurity/2011/09/23/cross-site-scripting-xss-vulnerability-in-adobe-flash-...
http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-releases-out-of-band-patch/
https://www.intego.com/mac-security-blog/zero-day-flash-vulnerability-prompts-rushed-update/
http://www.its.ms.gov/Services/SecurityAlerts/2011_9_21-Multiple-Vulnerabilities-in-Adobe-Flash-Play...