Adobe published an unscheduled emergency patch for Flash Player to address critical security issues.
The Flash Player updates, version 10.3.183.10 for desktop operating systems and 10.3.186.7 for Android, are the company’s response to a universal cross-site scripting (XSS) hole.
The vulnerability is already in the sites of attackers looking to bypass the same origin policy, allowing them to, for example, take actions on a user’s behalf on any web site or steal a victim’s cookies, Adobe said.
For an attack to be successful, a victim must first click on a malicious link. The company said the vulnerability does not affect the Authplay.dll component included in Reader and Acrobat.
The updates also close five other holes, however, the company offered little information about them. Four of the vulnerabilities allow an attacker to remotely execute arbitrary code on a victim’s system. The company also fixed a security control bypass flaw that could lead to information disclosure.
The vulnerability affects Flash Player versions up to and including 10.3.183.7 for Windows, Mac OS X, Linux and Solaris, as well as 10.3.186.6 and earlier for Android. The company advises all users to install the upgrade. Users running Chrome already received the Flash Player update in version 14.0.835.186 of the web browser.