Adobe Systems Inc. is pushing a security update to repair a critical zero-day Flash Player vulnerability that is being used by attackers in an email campaign targeting Internet Explorer users.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message.
“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” Adobe said in a statement. “The exploit targets Flash Player on Internet Explorer for Windows only.”
Attackers appear to be targeting users with PDF attachments containing malicious Flash Player exploit code.
Adobe recommends Windows, Mac and Linux users running Adobe Flash Player version 184.108.40.206, Android 4.x users running version 220.127.116.11, and Android 3.x users running version 18.104.22.168 and all earlier versions perform updates immediately. Adobe’s bulletin states Windows users should consider this a “level 1 priority.”
Adobe also advised that if Flash Player was downloaded with Google Chrome, it has received an automatic update and no action is required. Instructions for performing the updates can be found in the bulletin.
The object confusion vulnerability CVE-2012-0779 was reported by Microsoft Vulnerability Research.
Adobe issued an update for Flash Player in late March, repairing critical flaws in the popular browser plug-in. The March update also introduced a silent automatic updater feature.