Flash Player update closes zero-day
Adobe has released an update to Flash Player to close a zero day vulnerability. The "universal" cross-site scripting flaw could, said Adobe, be used to take actions on a user's behalf on any web site or web mail provider once the user had visited a malicious site. The flaw is reportedly already being exploited in "active targeted attacks" with malicious links being delivered by email.
Adobe does not give any more details of the flaw, but it affects version 10.3.181.16 and earlier versions of Flash Player for Windows, Mac OS X, Linux and Solaris and 10.3.185.22 and earlier versions on Android. Adobe recommends that users update to the latest versions of the player, specifically 10.3.181.22 for Windows, Mac OS X, Linux and Solaris, 10.3.181.23 for ActiveX. Users who are unsure what version of Flash they have installed should refer to this page. The latest versions of Flash Player are also available on get.adobe.com/flashplayer.
Google has also released an update which incorporates the fixes to the Flash player. These updates for the stable version of Chrome brings it up to version 11.0.696.77. The update should download automatically and be installed when the browser is next restarted. Otherwise, users can force the update by selecting "About Google Chrome" under the "Wrench" icon and selecting "Update Now". Google has also updated the beta and dev versions of the browser.
There is currently no update available in the Android Market for the Android version of Flash Player. Adobe is also investigating whether Acrobat Reader and its embedded Flash Player are vulnerable.