Details skimpy, but in-the-wild attacks taking place, say researchers
Attackers are exploiting an unpatched bug in Adobe System Inc.'s popular Flash Player, security researchers warned today.

The bug, which is in the most up-to-date version of Flash, was reported by researchers at the SAN Institute's Internet Storm Center and by others from Symantec Corp.

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk. However — chatter on the security lists we frequent suggest version 9.0.124.0 is not vulnerable and that the attacks are only reliably effective against version 9.0.115.0 and earlier (using CVE-2007-0071).

In any case — we are seeing Flash exploits being used in combination with SQL injection attacks...

Symantec: We were wrong on Adobe Flash 'bug'

Security firm backtracks on Flash threat
After warning on Tuesday that hackers were exploiting an unpatched bug in Adobe Systems' Flash Player software, Symantec has backtracked from this claim, saying the flaw is "very similar" to another vulnerability that was patched last month.

Symantec's initial warning described a disturbing threat - a previously unknown and unpatched flaw that was being exploited on tens of thousands of web pages. The flaw allowed attackers to install unauthorised software on a victim's machine and was being used to install botnet programs and password-logging software, Symantec said.

Now Symantec believes that the bug was previously known and patched by Adobe on April 8, said Ben Greenbaum, a senior research manager with Symantec Security Response. However, the Linux version of Adobe's stand-alone Flash Player, version 9.0.124, is vulnerable to the attack.