New 0-Day Flaw Patched in Flash Player

Adobe has patched a critical vulnerability in Flash Player that was being actively exploited in the wild to infect users with malware.

The vulnerability, identified as CVE-2011-2110, was addressed in the newly released Adobe Flash Player 10.3.181.26 for Windows, Macintosh, Linux and Solaris.

Flash Player for Android has not been patched yet but an update is expected until the end of this week.

"This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system.

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages," Adobe warns in its security bulletin.

This is the fourth Flash Player zero-day vulnerability discovered in the wild since March and the second this month alone.

It seems that with Adobe Reader for Windows being harder to exploit thanks to the new sandboxing technology in version 10 (X), cyber criminals are focusing their attention on Flash.

When we spoke last month with Steve Adegbite at the Hack in the Box 2011 conference in Amsterdam he told us that Adobe is working on a sandbox-like protection for Flash Player too, but it's a very long way from being ready.

Unlike Java, which is not that used on the web anymore and can be disabled from the browser by most users, Flash is still important for a good web experience.

Google Chrome comes with a bundled Flash Player plug-in that is partially sandboxed and is generally better protected against zero-day exploits than the stand-alone version.

Users are strongly encouraged to make use of the security features in Windows 7, such as UAC, and to use an up-to-date antivirus program, preferably one capable of behavioral detection.

The latest version of Flash Player for Windows can be downloaded from here.
The latest version of Flash Player for Mac can be downloaded from here.
The latest version of Flash Player for Linux can be downloaded from here.