The out-of-cycle patch -- Adobe normally releases patches quarterly -- reflects the severity of the vulnerability as well as the fact that attackers are actively exploiting the bug to remotely execute code. In particular, attackers have been targeting Flash Player, by distributing via email a malicious Flash file (.swf) embedded in a Microsoft Excel file (.xls).
As of Monday, Adobe said that it hasn't seen any attacks targeting the Flash-related authplay.dll component in Adobe Reader or Acrobat, which is also vulnerable. "Note also that Adobe Reader X Protected Mode -- 'sandboxing' -- would prevent an exploit of this kind from executing," said Adobe.
The updated -- aka patched -- Flash software versions are Flash Player 10.2.153.1 (for Windows, Macintosh, Linux, and Solaris), AIR 2.6 (Windows, Macintosh, and Linux), and Flash Player 10.2.156.12 (for Android), which was released on March 18. Meanwhile the latest version of Google Chrome, 10.0.648.134, integrates Flash Player version 10.2.154.25, which also has the patch. It was released on March 15.
As that suggests, Adobe shares Flash patches with Google in advance of their general release, which gives Google a head start on patching its browser. Google, notably, also updates Flash Player for Chrome automatically. Other browser users will need to download and install the latest version manually.
For Adobe Reader and Acrobat, the updated version of Adobe Reader X 10.0.2 is only being released for Macintosh, since the Windows version (10.0.1) would prevent the attack from exploiting. Accordingly, Windows users won't see a patch until the next quarterly patch release date, scheduled for June 14, 2011.
Other updated versions -- all for both Windows and Macintosh -- are Reader 9.4.3, Adobe Acrobat X 10.0.2, and Adobe Acrobat 9.4.3. Reader and Acrobat users can check for and download updates through the application's "help" menu.