Adobe patches two Flash Player zero day holes
Adobe has released security updates for its Flash Player on Windows and Mac OS X to address two critical vulnerabilities. The emergency release was necessary because, Adobe says, both vulnerabilities were being exploited in the wild in attacks on Windows and Mac systems. Fixes are also available for Linux and Android systems and should be installed as soon as possible, as the vulnerabilities allow attackers to take control of affected systems.
The precise nature of the attacks has yet to be disclosed, but, the reporters of holes listed in the Adobe advisory is an interesting list. One of the holes, CVE-2013-0634 , is credited to the incident response team at defence contractor Lockeed Martin, the MITRE organisation, and "W" of the ShadowServer Foundation. This combination of reporters suggests that the attacks were targeted industrial espionage.
The vulnerability in question has been used to specifically target Mac users running Firefox or Safari through Flash content on web sites, though Adobe notes it also being used in attacks on Windows users via Microsoft Word documents with malicious SWF content delivered as attachments in email. The flaw is described as a memory corruption issue that could lead to code execution. The other flaw, CVE-2013-0633, reported by researchers at Kaspersky Lab, is also being targeted at Windows users through Flash embedded in Microsoft Word documents in email. It is said to be caused by a buffer overflow.
Windows and Mac users should upgrade to version 11.5.502.149, available from the Flash Player Download Center. A Linux version, 11.2.202.262, of the Player is also available from the Download Center. Android version 4.x devices will be updated to version 11.1.115.37 and Androids from 2.x and 3.x with 11.1.111.32 through the Google Play Store. Google Chrome and Internet Explorer should automatically update their Flash Players to 11.5.31.139 and 11.3.379.14 respectively.
(djwm)