Adobe released an emergency patch yesterday for its Flash Player to address critical security issues.
Adobe said the bulletin affects Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Flash Player 10.3.186.6 for Android.
According to the company, the update addresses "critical" security issues in the product as well as an "important" cross-site scripting issue that it claims is being exploited in targeted attacks. These attacks are designed to trick the user into clicking on a malicious link delivered in an email.
Chester Wisniewski, senior security adviser at Sophos Canada, said: “SophosLabs has yet to see any samples in the wild and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.
“Do watch out though. If adding the bloat of Flash to your browsing experience isn't enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.”
Andrew Storms, director of security at nCircle, said: “It's time for all IT teams to circle the wagons and patch Flash as soon as possible. Adobe has released an update for Flash that covers six bugs, including a zero-day vulnerability that looks very similar to a bug that Adobe patched back in June.
“Adobe said that today's bug 'could be used to act on the user's behalf with webmail providers'. I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user's Gmail account.”