Adobe Patches Zero Day Flaw
XSS flaw patched on Sunday affects Windows, Mac and Linux users. Android users are still vulnerable.
It's time to update Adobe Flash -- Yes, again.
Adobe issued a new security update for its Adobe Flash Player on Sunday, fixing a vulnerability that has been categorized as being, 'important'. The important rating is Adobe's second highest security rating behind 'critical' and above 'moderate'.
The important flaw is a cross site scripting (XSS) vulnerability that affects Windows, Macintosh, Linux, Solaris and Android versions of Flash Player. According to Adobe, the flaw is already being exploited in the wild via malicious email links.
"This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website," Adobe warned it is advisory.
Why are PDF files so vulnerable? Our article Top 5 PDF Risks and How to Avoid Them explains why.
The new Adobe Flash Player 10.3.181.22 provides a fix for the XSS flaw for Windows, Macintosh, Linux and Solaris. Adobe has not yet issued an update for Android users, though the plan is to have a new Flash Player for Android release out this week.
Adobe's Reader and Acrobat programs may also potentially be at risk as well.
"Adobe is still investigating the impact to the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems," Adobe warned.
Adobe added that they are not currently aware of Reader or Acrobat being publicly exploited.
Flash and Reader/Acrobat are often targeted and updated in tandem by Adobe. At the end of April Adobe updated Acrobat and Reader for security flaws that first were fixed in Flash.