According to Adobe, the vulnerability is being actively exploited by attackers, using Shockwave files placed in Microsoft Excel spreadsheets. "Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Brad Arkin, Adobe's senior director for product security and privacy, in a blog post.
In other words, don't panic. "The attack doesn't seem to be in the wild, and the exploit files I've heard of seem to rely on a sequence of already known and already detectable malicious operations, so there is no cause for alarm," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "But do look out for the Flash patches when Adobe publish them next week."
Google's Chrome update makes it the first browser developer -- besting Microsoft, Mozilla, and Apple -- to patch the bug. Then again, the other companies are still waiting for Adobe's Flash Player update, which won't be released until next week. Adobe, however, regularly shares Flash updates more quickly with Google.
"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."
Timing-wise, it might seem odd that an Adobe business partner has patched one of its products against the zero-day vulnerability before Adobe patches its own products. But the issue is one of scale, since Adobe plans to simultaneously release fixes for all affected products, including Flash Player, Acrobat, and Reader. "Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris, and Android -- more than 60 platforms/configurations altogether -- to ensure the fix works across all supported configurations," said Lips. "This process is currently underway and will be completed by next week."
In the meantime, beware of fake updates or product scams, said Sophos's Ducklin. In particular, Sophos has seen a new variation on the old fake AV scam, only for PDF files. In this case, attackers are offering a 30% discount on Adobe Acrobat X Reader -- notably, not affected by the Flash bug -- as well as a free gift.
Needless to say, it's all a scam. "Guess what? The free gift software you're being offered is OpenOffice," said Ducklin. "It really is free."