Adobe has released an out-of-cycle update for Flash that fixes a serious vulnerability in the application on all platforms. The bug is a cross-site scripting flaw that can be used in drive-by download attacks and Adobe said that is being used in some targeted attacks right now.
Adobe security officials said that they first found out about the Flash vulnerability on Friday, and the company was able to develop and release a fix for it on Sunday. The bug exists in Flash running on Windows, Mac OS X, Android, Linux and Solaris.
“An important
vulnerability has been identified in Adobe Flash Player 10.3.181.16 and
earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe
Flash Player 10.3.185.22 and earlier versions for Android. This
universal cross-site scripting vulnerability (CVE-2011-2107) could be
used to take actions on a user’s behalf on any website or webmail
provider, if the user visits a malicious website. There are reports that
this vulnerability is being exploited in the wild in active targeted
attacks designed to trick the user into clicking on a malicious link
delivered in an email message,” Adobe said in its advisory.
The fix for Flash running on Android should be available sometime this week, Adobe said.
The company said that is still in the process of investigating whether the Authplay.dll component in Adobe Reader and Acrobat also is vulnerable to this bug, but said that it is not aware of any attacks against those two applications using this flaw.
Google has already released an updated version of its Chrome browser that includes the new Flash player.