A vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for the Google Chrome web browser) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android.
There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. As expected from tactics frequently used by hackers and malware creators, some of those attachment files pretend to be related to a trending subject, such as the recent earthquake and tsunami in Japan, like “Nuclear Radiation Exposure And Vulnerability Matrix.xls”, with one of the possible subjects of the emails being “Japan Nuclear Radiation Leakage and Vulnerability Analysis”.
The latest version of Flash, which includes the patch for this vulnerability can be found at http://get.adobe.com/flashplayer/. Once again Google Chrome users benefit from the deal struck earlier between Adobe and Google, where Google receives updated builds of Flash Player to be released as part of Google’s browser updated versions. After updating Chrome to version 10.0.648.134 (which has been available for some days now), the browser reports that it’s running Flash Player 10.2.154.25, a step up from the 10.2.154.18 bundled with the last update of the browser. Adobe confirmed that Chrome’s integrated copy of Flash includes the patch for the zero-day vulnerability.
To see what version of Flash you have installed in your browser, and compare it to the latest version available, go to http://www.adobe.com/software/flash/about/