Adobe has announced [1] that a critical security vulnerability exists in the latest versions of Flash Player (v.9.0.159.0 and v10.0.22.87) for Mac OS X, Windows, and Linux, as well as in the authplay.dll component embedded in Adobe Reader and Acrobat v9.x for Mac, Windows, and various Unix operating systems.
The vulnerability could cause a crash that could be exploited by an attacker to gain control of the affected system, and in fact, this weakness is currently being exploited in the wild, though only in limited attacks directed at Adobe Reader 9 for Windows. An attacker could exploit this vulnerability by convincing users to visit a Web site that hosts a malicious SWF file, or by creating a PDF document that contains an embedded SWF file.
Adobe says it expects to release a fix for the Flash Player vulnerability by 30-Jul-09, and for Adobe Reader and Acrobat by 31-Jul-09. In the meantime, the company suggests Flash Player users use caution in visiting untrusted Web sites, though the only surefire way to avoid problems is by disabling Flash. For directions on disabling Flash [2] in a variety of places and in different operating systems, see US-CERT's Vulnerability Note VU#259425. If you use Firefox, you can use the NoScript [3] plug-in to whitelist Flash content on specific Web sites; if you use Safari, turn to Click to Flash.
[1]: http://www.adobe.com/support/security/advisories/apsa09-03.html
[2]: http://www.kb.cert.org/vuls/id/259425
[3]: https://addons.mozilla.org/en-US/firefox/addon/722