In response to reports that two Flash Player vulnerabilities are being exploited in the wild in attacks designed to target the Firefox browser, Adobe has released new security updates for its software. These updates are for Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
In addition to resolving the two vulnerabilities being exploited in the wild, Adobe also resolved “a buffer overflow vulnerability in a Flash Player broken service, which can be used to execute malicious code.” These updates were posted under Adobe’s sixth security bulletin for February (APSB13-08) and should conclude what has been a busy month for the software company’s security team. Adobe recommends that all Mac users update to Adobe Flash Player 11.6.602.171 immediately. Flash Player versions for other operating systems have also been updated.
In Adobe’s security bulletin, the company posted a brief description of the vulnerabilities being exploited in the wild:
Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.
Following are details of the three vulnerabilities covered in this Flash update:
- This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643).
- This update resolves a vulnerability in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code (CVE-2013-0648).
- This update resolves a buffer overflow vulnerability in a Flash Player broker service, which can be used to execute malicious code (CVE-2013-0504).
Users of Adobe Flash Player 11.6.602.167 and earlier versions for Mac OS X should download the 16.14 MB update to Adobe Flash Player 11.6.602.171 as soon as possible. Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Macintosh, Linux, and Windows operating systems.