May 28th 2008 | Jens C Brynildsen
Today, Adobe was alerted to what could be one of the first successful exploits of the Flash Player. All users are urged to update their Flash Player to the latest version immediately. The exploit is using a known vulnerability and all Flash Players except for the latest version are a target.
The Adobe Product Security Incident Response Team (PSIRT) blog has confirmed that this is indeed a working exploit after working with Symantech engineers. If you visit a site that is using the exploit, you'll be redirected to malware sites and possibly denial of service attacks. In the worst case, the malware can take control over the users computer. Apparently, the exploit is spreading and in active use.
On former occasions, Adobe have managed to patch bugs long before exploits were in the wild. So is the case with this exploit as well, but this time only the very latest version of the Flash Player (18.104.22.168) has the fix. Use flashplayerversion.com to check what version you have and click here upgrade to the latest Flash Player if you do not have the 22.214.171.124 version. For once, it's also worth alerting others and urge them to update. Issuing such an alert is not something Adobe does lightly, so we can count on it being serious this time around.
RichInternetApps has extensive details about how the exploit works and how it is distributed. Note that the security site securityfocus.com incorrectly claims that this also affects the latest version as they closed that "bid" without updating it. Also note that this is thus not a "zero-day" exploit (where no "patch" is avalable) as some have claimed.
Update: skilltube.com has a screencast that shows an example of this exploit. Scary stuff. Tell people to upgrade!