Adobe today issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems.
Adobe said one of the bugs, a cross-site scripting flaw, is being exploited in the wild in targeted attacks to trick users into clicking on a malicious link delivered in an email message. At the moment there isn’t much more information about this vulnerability (other than Adobe credits Google with reporting it). That may soon change if news begin to surface about which organizations were targeted with the help of this flaw.
According to Adobe: “This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.”
This update applies to Flash Player 10.3.183.7 and earlier on Windows, Mac, Linux and Solaris systems, and Flash 10.3.186.6 for Android. Adobe’s bulletin says the company is fixing at least six different security flaws in this update. The latest version for Android devices is 10.3.186.7; for all others it is 10.3.183.10.
To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.