Adobe has urged PC, Mac, Linux and Android users to download a critical update for Flash Player, in order to mitigate an attack that has already been reported in the wild.
According to Adobe, various vulnerabilities in Flash Player "could cause a crash and potentially allow an attacker to take control of the affected system". Someone is already exploiting one of those flaws, Adobe said on Wednesday.
"There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," Adobe said. "This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website."
It is not clear who has been exploiting the vulnerability, but Adobe product security chief Brad Arkin told a conference on Tuesday that zero-day attacks on Adobe's products have in the last 18 months only come from "groups that have enough money to build an aircraft carrier". Kaspersky Labs, who reported his speech, suggested that Arkin meant the attackers were state-sponsored.
According to Arkin, the first targets for such attacks are defence contractors, government agencies and large financial services companies. Large enterprises tend to follow, then smaller companies, possibly with a different set of attackers being involved by this stage.
On Wednesday, Adobe said users of Flash Player 10.3.183.7 and earlier versions for Windows, Mac, Linux and Solaris should update to version 10.3.183.10 by visiting Adobe's Flash Player Download Center.
Android users with Flash Player 10.3.186.6 or earlier should go to the Android Market and upgrade to Flash Player for Android 10.3.186.7, the company said.
In its security bulletin, Adobe said the updates would resolve AVM stack overflow issues that may allow for remote code execution and denial-of-service, a logic error that would crash a browser and possibly allow code execution, a Flash Player security control bypass that could allow information disclosure, and a streaming media logic error vulnerability that could also allow code execution.