Hackers are exploiting critical vulnerabilities in Flash Player, Adobe warned users Friday. It has since released an emergency patch.

"There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only," Adobe said in the patch notes.

The reason the exploit is IE-only is because the browser uses an ActiveX plug-in. Other browsers such as Mozilla Firefox and Google Chrome use a different plug-in.

Adobe rated the update with a priority rating of "1," the label for actively-exploited vulnerabilities or those that will probably be exploited. Adobe recommends updates in this category are applied within 72 hours.

Adobe also described the vulnerability as an "object confusion vulnerability," and said triggering the bug could cause applications to crash and potentially allow a hacker to the take control of a machine. The company says the attacks are specifically aimed at certain companies or individuals.

Last year Adobe issued nine updates to Flash Player, and the latest update marks the fourth. The previous update arrived on March 28, which introduced silent background updating in Flash Player 11.2.

Adobe said the silent updating would be used on a "case-by-case basis," but hinted then the service would be used for zero-day patches like the latest patch. On Friday, May 3, Adobe confirmed silent updating was being used for the critical patch.

However, a Computerworld system didn't silently update. Adobe's explanation was it didn't begin serving the Flash Player via silent update until 10:30 a.m. PT, after the Computerworld machine had pinged Adobe's servers. The silent updater waits 24 hours before re-pinging Adobe if no response is received.

Google Chrome was updated with the patch four days before Adobe issued an update - on Monday, April 30. Chrome has previously beaten Adobe's patches by hours or days, so the four-day lead was its largest yet. Adobe explained Chrome's lead, saying it issues the updates to Chrome as the code is updated. Adobe tests the updates on different machines and browser combinations before releasing updates in full.

Microsoft's vulnerability research group had reported the problem to Adobe.

(reported by Jonathan Charles, edited by Dave Clark)