Jun 6, 2011 07:53 GMT  ·  By

Adobe has released a new update for Flash Player in order to address a cross-site scripting (XSS) vulnerability that is being actively exploited in the wild.

"This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website," Adobe warns in its security bulletin.

There are reports of this vulnerability being exploited in email-based attacks that try to convince users to click on maliciously-crafted links.

While attacks that include XSSed links in socially engineered emails have been described as proof-of-concept for cross-site scripting exploitation many times in the past, the technique has rarely been spotted in the wild.

This means the attacks mentioned by Adobe, which are targeted in nature, are rather unusual. The vulnerability is rated as "important" and Adobe recommends users to upgrade to Flash Player 10.3.181.22 for Windows, Macintosh, Linux and Solaris and 10.3.181.23 for ActiveX. The update for Android is expected later this week.

Usually, Flash Player vulnerabilities also impact Adobe Reader and Acrobat because of the bundled AuthPlay.dll component that enables Flash playback support in PDF documents.

However, the company has not yet determined if and how this flaw impacts its other products. "Adobe is still investigating the impact to the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems. Adobe is not aware of any attacks targeting Adobe Reader or Acrobat in the wild," the vendor says.

The latest version of Flash Player for Windows can be downloaded from here. The latest version of Flash Player for Mac can be downloaded from here. The latest version of Flash Player for Linux can be downloaded from here.