Adobe Issues Out-Of-Cycle Fix For Flash Player

The vulnerability, which Adobe designated with the slightly less severe ranking of “important,” exploits a universal cross-site scripting flaw in Flash Player , specifically version 10.3.181.16 and earlier versions for Windows, Mac OS X, Linux and Solaris, as well as Flash Player 10.3.185.22 and earlier versions for Android.

Adobe issued the Flash Player fix outside of its quarterly patch update cycle -- a move typically reserved for vulnerabilities deemed “critical.”

The most serious ranking of “critical” usually indicates that the flaw can be exploited remotely by hackers for malicious purposes, requiring limited, if any, user intervention.

However, there are reports that the Flash Player flaw is being exploited in active targeted attacks in the wild. If successfully exploited, hackers could take actions on a user’s behalf on an array of Web sites and Web mail services.

During an active attack, a hacker sends a victim a malicious link embedded in an e-mail, and tricks them into opening it. Users are typically enticed to open malicious links through some kind of social engineering scheme, often being duped into opening an e-mail that appears to come from someone they know. Once opened, the link downloads malicious code exploiting the cross-site scripting vulnerability in Flash Player.

Adobe recommends that users update their systems immediately to 10.3.181.22 (10.3.181.23 for ActiveX) and anticipates releasing a Flash Player update for Android some time this week.

Meanwhile, Adobe is still investigating the impact to the Authplay.dll component that is shipped with Adobe Reader and Acrobat X for Windows and Mac OS X systems. Adobe said that thus far, there are no known in the wild attacks targeting Adobe Reader or Acrobat.

Users can download the updates directly from the Adobe Web site.