Hackers are actively exploiting a cross-site scripting (XSS) vulnerability in Adobe’s Flash Player, the company revealed Sunday.
The vulnerability, rated “important,” is present in 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris and 10.3.185.22 and earlier versions for Android.
A successful exploit could permit an attacker to “take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website,” according to a security bulletin.
Adobe spokeswoman Wiebke Lips told SCMagazineUS.com that the company is only aware of Gmail users being targeted, but it is likely other webmail users also are affected.
Windows, Mac, Linux and Solaris users can avoid the flaw by upgrading to Flash Player 10.3.181.22. An update to Flash Player for Android is due this week.
XSS flaws are among the most common on the internet.
“An attacker can use XSS to send a malicious script to an unsuspecting user,” according to the Open Web Application Security Project (OWASP). “The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with [a] site.”