Adobe has patched nine critical vulnerabilities in Flash that hackers could use to attack Windows, Mac and Linux machines.
"Multiple input validation errors have been identified in Flash Player 18.104.22.168 and earlier that could lead to the potential execution of arbitrary code," Adobe said. "These vulnerabilities could be accessed through content delivered from a remote location via the user's web browser, email client or other applications that include or reference the Flash Player."
Danish vulnerability tracker Secunia ASP collectively rated the nine bugs as "highly critical", its second-from-the-top threat ranking.
The flaws can be exploited using malicious .swf files, a vector graphics format specific to Flash. Specifically, said Adobe, the vulnerabilities could be used to conduct cross-site scripting attacks, run DNS rebinding attacks that circumvent firewall defences and elevate privileges on servers hosting Flash content.
Google's security team was credited by Adobe with reporting two of the nine vulnerabilities, while a team at Stanford University received a nod for notifying Adobe of another pair of bugs.
"Users are recommended to update to the most current version of Flash Player available for their platform," Adobe said. The update, dubbed Flash Player 22.214.171.124, can be downloaded from the Adobe site. Solaris users, however, must download a beta of the updated Player to protect their machines.
Mac OS X users who refreshed their operating system with the 41-fix Security Update 2007-009, which Apple issued Monday, already have the revised Flash Player in hand, and don't need to take additional action.
According to Adobe, people who must rely on the older Flash Player 7 should download and install the patched version of that edition instead of 126.96.36.199.