If successfully exploited, the vulnerability could allow hackers to crash and even take control of an affected system.
According to Adobe, the Microsoft Vulnerability Research (MSVR) program reported the vulnerability on April 25. The patch was pushed out as soon as it was available, a company spokesperson said.
“There are reports that the object confusion vulnerability (CVE-2012-0779) addressed in this update is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” Wendy Poland, senior program manager on Adobe’s Product Security Incident Response Team, explained in a blog post. “The exploit targets Flash Player on Internet Explorer for Windows only.”
The vulnerability exists in Flash Player versions 11.2.202.233 and earlier for Windows, Macintosh and Linux systems, as well as versions 11.1.115.7 and earlier for Android 4.x and versions 11.1.111.8 and earlier for Android versions 3.x and 2.x. The company said the plan to include a Google Play link for Android users at some point today so that they can get the update for their devices.
“The patch is of highest urgency as there are attacks in the wild against the vulnerability,” said Wolfgang Kandek, CTO of Qualys.
“Users that have opted-in to participate in the newly introduced “silent update” feature (currently only available on Windows), will have the update applied automatically on all browsers present on their system,” he continued. “Users of other operating systems and users that have opted-out of ‘silent update’ need to manually install on all browsers.”
Alex Horan, senior product manager at penetration testing firm CORE Security, said Flash Player makes for a fantastic target for opportunistic attackers.
“For a lot of modern and exciting Websites you need Flash to view their content, see their videos, etc., so the first time a user visited a site like that they would have installed Flash,” he said. “The likelihood that they ever considered upgrading it is close to zeroas such attackers know there are a lot of browsers running old and vulnerable versions of Flash and that their browser will automatically load their Flash attacks with no prompt to the user.”