Hot on the heels of its Shockwave and Robohelp patches, Adobe has issued a patch for seven critical flaws in its Flash Player, including a zero-day universal cross-site scripting vulnerability.
The cross-site scripting flaw could be used “to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only)”, Adobe explained in its security bulletin.
The other six vulnerabilities could be used to crash systems as well as to take control of them, although Adobe has not seen any attacks in the wild targeting these other flaws. Vulnerable products include Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux, and Solaris; Adobe Flash Player 18.104.22.168 and earlier versions for Android 4.x; and Adobe Flash Player 22.214.171.124 and earlier versions for Android 3.x and 2.x.