Adobe has issued a patch for Flash after 0-day cross site scripting (XSS) attacks were detected in the wild using email as the primary attack vector.
Anyone with Flash Player 10.3.181.16 or earlier for Windows, Mac, or Linux should update to 10.3.181.22 (10.3.181.23 for ActiveX) ASAP. Flash running on Android devices is also affected, and will be addressed in a separate fix this week.
CVE-2011-2107 is rated as “important” by the vendor, rather than the expected critical. The patch was considered serious enough for Adobe to fix it outside of its normal monthly cycle, all part of the company’s reformed ‘beter safe than sorry’ attitude in the wake of repeated attacks on its products and add-ons during 2008, 2009, and 2010.