Adobe has issued an urgent patch for Flash Player after discovering a zero-day cross-site scripting vulnerability that is being exploited by email-borne attacks.
Anyone with Flash Player 10.3.181.16 or earlier for Windows, Mac, or Linux should update to 10.3.181.22 (10.3.181.23 for ActiveX) as soon as possible to address the CVE-2011-2107 vulnerability, rated as “important” rather than critical. The same flaw affects Flash running on Android devices, which the company said it would address in a separate fix this week.
Despite the lower security billing under the Common Vulnerabilities and Exposures (CVE) system, the patch was considered serious enough for Adobe to fix outside its normal monthly cycle, all part of the company’s reformed ‘beter safe than sorry’ attitude to patching in the wake of repeated attacks on its plug-ins during 2008, 2009, and 2010.
Users can check which Flash Player they have installed by visiting Adobe’s version-checking website. This should install automatically this week but can also be manually installed from Adobe’s site.
Rapid patching is now necessary, almost regardless of the criticality of a bug. Only two weeks ago a report by vulnerability management company Qualys found that browser plug-ins are now the biggest area of vulnerability in many PCs. Forty percent of scanned PCs were found to be running a vulnerable version of Java, double the percentage for Flash, which has improved its score in recent times.
Adobe has in also in recent time retrofitted sanboxes to its Flash Player and Reader software in an effort to minimise what attackers can do using exploits. Researchers have managed to find ways around this technology, however.