Adobe has issued a Security Advisory [APSA11-01] warning of a critical security vulnerability in its Flash Player. The flaw affects current and previous versions of Flash Player for all platforms (Windows, Linux, Mac OS X, Android, and Solaris); it also affects Adobe’s Reader and Acrobat products, since they have embedded versions of the player. Adobe says that Reader X for Windows is not vulnerable, since its “sandboxing” of the player prevents the flaw from being exploited. More details on the scope of the vulnerability are in the Security Advisory.
At present, attempts to exploit this flaw have been targeted E-mail attacks, carrying an attachment which is an Excel spreadsheet with an embedded Flash object. (Why anyone needs to embed a Flash video in a spreadsheet is a question that I cannot answer.) I will post updated information here if I learn of more widespread attacks.
Adobe’s note also says that they intend to release patches for affected versions of the Flash Player, Reader, and Acrobat during the week of March 21. There is a post on Adobe’s Secure Software Engineering Team [ASSET] blog, which discusses the patch schedule.