Adobe Systems Inc. has issued a critical Flash Player security update, repairing six vulnerabilities and at least one flaw being actively targeted by cybercriminals in an email attack.
The flaw, an Adobe Flash Player cross-site scripting (XSS) vulnerability, could be used against a user once they are tricked into visiting a malicious website, Adobe said. The critical update affects all versions of Adobe Flash Player running on Windows, Macintosh, Linux and Solaris, as well as the mobile version for Google Android devices.
“These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in its security advisory, issued Wednesday.
Adobe recommends users upgrade to Adobe Flash Player 10.3.183.10 or Adobe Flash Player for Android 10.3.186.7. The update fixes a variety of errors that could cause the browser to crash, allow information disclosure and enable attackers to execute code.
At least one of the flaws, a memory corruption vulnerability, was discovered by security researchers at Fortinet Inc. Danish vulnerability clearinghouse Secunia gave the Adobe Flash Player security update a “highly critical” rating. “Certain unspecified input is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site,” Secunia said in its advisory.