A vulnerability in Flash Player 9 is being actively exploited. The latest version of Flash Player (126.96.36.199) appears to correct the vulnerability. Analysis indicates that this vulnerability is the same as or similar to the one described in Application Specific Attacks: Leveraging the ActionScript Virtual Machine by Mark Dowd. The vulnerability depends on ActionScript 3.0 which was introduced in Flash Player 9, so previous versions do not appear to be affected.
The vulnerability (or vulnerabilities) being used in these attacks are explained in US-CERT Vulnerability Notes VU#395473 and VU#159523. According to a post on the Adobe Product Security Incident Response Team (PSIRT) blog, the exploit "...appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 188.8.131.52 (CVE-2007-0071)."