Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.
One of the six, a cross-site scripting (XSS) vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets via email.
Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.
Users are strongly advised to apply the patches as soon as possible, especially since exploiting any of the addressed vulnerabilities can lead to either remote code execution or to information disclosure.
Note that users who utilize multiple browsers may need to separately update their other browsers. Users can visit this page for all of their browsers to check if they have the latest version of Adobe Flash Player installed and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed by this update:
- Flash Player 10.3.183.7 and earlier
- Flash Player 10.3.183.7 and earlier for network distribution
- Flash Player 10.3.186.6 and earlier for Android
- Flash Player 10.3.183.7 and earlier for Chrome
We will update this post once we find more information about the exploit.