Adobe issued a security update to address a “critical” zero-day vulnerability (CVE-2012-0779) in its Flash Player browser plugin this past Friday. The said vulnerability, according to a security advisory issued by Adobe, is already being exploited in the wild, with attackers tricking their unsuspecting victims into clicking on a malicious file inside email messages. However, the attack only targets Flash Player for Internet Explorer on Windows.
“These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system,” reads Adobe’s security advisory. There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.
Users of Adobe Flash Player 184.108.40.206 and earlier versions for Windows, Macintosh and Linux should update to Adobe Flash Player 220.127.116.11 (those running Flash Player 11.2.x with the automatic update option enabled will receive the update automatically). Users running Adobe Flash Player 18.104.22.168 and earlier versions on Android 4.x devices and Adobe Flash Player 22.214.171.124 and earlier versions for Android 3.x and earlier are also advised to update.