According to Computerworld, Adobe has confirmed that hackers are exploiting a zero-day vulnerability in Flash Player using Microsoft Excel documents. However, the company will not patch Flash until next week.
This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe says it is not aware of any attacks targeting Reader or Acrobat. Adobe's newest version of Reader will not be patched because building a fix would delay the release of the Flash, Reader and Acrobat updates, says Brad Arkin, the company's director of product security and privacy:
Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk.