Adobe Flash Player XSS flaw under 'active attack'
Ladies and gentlemen, rev up your Flash Player update engines.
Adobe has shipped a new version of the ubiquitous software to fix at least seven documented security holes affecting Windows, Mac OS X, Linux and Solaris users.
According to Adobe, these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
It also patches a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website.
Adobe has acknowledged reports that the cross-site scripting flaw "is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an e-mail message (Internet Explorer on Windows only).
[ SEE: Ten little things to secure your online presence ]
From Adobe's advisory:Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.
The raw details:
- This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751).
- This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
- This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
- This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
- This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756).
- This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767).