There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 220.127.116.11 are reported to be at risk. However — chatter on the security lists we frequent suggest version 18.104.22.168 is not vulnerable and that the attacks are only reliably effective against version 22.214.171.124 and earlier (using CVE-2007-0071).
In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.
In the meantime, there may be some mitigating strategies you'd like to employ.
First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.
If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.
For Internet Explorer, you can use the Manage Add-ons option to disable Flash:
But then you'll get this annoying prompt on Flash enabled sites:
An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.
NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from noscript.net.
Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org.
Adobe Flash version 126.96.36.199 is NOT vulnerable to the exploits that we're seeing in the wild. But there are a large number of sites hosting exploits for earlier Flash versions, so there is risk. We strongly advise updating your Flash installation as a minimum measure.
Home users can use our free Health Check service to assist in scanning and updating their systems.