Adobe released an out-of-cycle update for Flash that fixes a serious vulnerability in the application on all platforms.
The bug is a cross-site scripting flaw that a hacker can use in drive-by download attacks and Adobe said is seeing use in some targeted attacks right now.
Adobe security officials said they first found out about the Flash vulnerability on Friday, and the company was able to develop and release a fix for it on Sunday. The bug exists in Flash running on Windows, Mac OS X, Android, Linux and Solaris.
“An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe said in its advisory.
The fix for Flash running on Android should be available sometime this week, Adobe said.
The company said it is still in the process of investigating whether the Authplay.dll component in Adobe Reader and Acrobat also is vulnerable to this bug, but said it is not aware of any attacks against those two applications using this flaw.
Google already released an updated version of its Chrome browser that includes the new Flash player.