The attack, which Websense has dubbed LizaMoon, injects a single line of code into websites that sends the user to a well-known fake security software site at defender-uqko.in.
Articles by Kara Reeder
One bug involves cross-site scripting, while the other two deal with information disclosure.
There is no information about the scale of the attacks or what is being done to counter it.
Adobe has also issued an update for its Reader and Acrobat platforms to deal with a critical flaw in the authplay.dll component.
Trojans were by far the most popular, making up 70 percent of all malware, followed by viruses and worms.
Forty-eight percent of tablet users said they send sensitive data on the device, compared to only 30 percent of smartphone users.
The ruse uses a recently announced messaging product that gives Facebook users an opportunity to own an @facebook.com e-mail address as a lure.
Six of the vulnerabilities were accompanied by the phrase "arbitrary code execution," which is Apple-speak for "critical."
Some of the bugs could allow hackers to hijack a vulnerable Mac.
Morgan Stanley has confirmed the attack, but says it was limited in scope.
The malware can install other applications, mess with the phone's browser bookmarks and send text messages to premium rate numbers.