Remote exploitation of a invalid object reference vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user.
During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.
Adobe has just released a security advisory for this vulnerability. The vulnerability affects Adobe Flash Player 10.0.12.36 and earlier. So, patch'em if you got'em.
I was hearing "chatter" about this vulnerability on Twitter this morning...
Then you have the confusing aspect of Adobe's actions in this manner. Why patch the flash player when people are actively exploiting the Reader vulnerability?