A vulnerability in Adobe's Flash Player was not included in its pre-notification security advisory Friday, and is currently being targeted by attackers.
A vulnerability in Adobe's Flash Player was not included in its pre-notification security advisory Friday, and is currently being targeted by attackers.

As previously reported, Adobe addressed critical vulnerabilities in its Reader and Acrobat software Tuesday.

However, the security release also included a fix for a major Flash Player bug that is being exploited in the wild and was not included in the company's pre-notification advisory.

A total of six vulnerabilities have been patched in Flash Player, which impact Windows and Macintosh users on version 15.0.0242 and earlier, 13.0.0.258 and earlier 13.x versions, and 11.2.202.424 and earlier versions for Linux users.

One vulnerability, CVE-2014-9163, discovered by bilou, a researcher at HP's Zero Day Initiative, is actively being targeted by miscreants.

Of the bugs reported on the Flash Player, all except the Linux flaw were given a priority rating of “1”, which indicates that the vulnerabilities may currently be targeted by attackers, or “have a higher risk of being targeted,” according to Adobe's severity ratings.

“These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” the advisory said.

The release also patches 20 critical vulnerabilities for Adobe Reader and Acrobat, all which were also given Adobe's most severe priority warning.

In addition to the Flash Player, Reader and Acrobat security patches, hotfixes for ColdFusion 11 and 10 for Windows was also included.

The hotfixes resolve a “resource consumption issue” that could result in denial of service for ColdFusion Windows users.

The company advises users to quickly update to the latest versions of the software.