According to a diary entry at the SANS Internet Storm Center, a new security vulnerability has been discovered in Adobe’s Flash Player; the most recent version, 18.104.22.168, and all previous versions, are affected, on all platforms. The vulnerability is serious, allowing remote code execution as the logged-in user, via a malicious Flash (.SWF) file. Fortunately, no exploits have been observed “in the wild”, but this could change quickly.
At this point, Adobe has not issued a security advisory, and there is no patch or work-around available. Not much has been published so far about the details of the vulnerability. There is a brief bulletin at Security Tracker. The vulnerability identifiers CVE-2011-4693 and CVE-2011-4694 have been assigned for tracking purposes.
This is a potentially nasty flaw that merits watching; I hope Adobe will get a patch or mitigation out quickly. I’ll post a follow-up note here if I get any further information.