Adobe patched three new security flaws in its near-ubiquitous Flash Player, of which two were already being exploited in the wild. Attackers were specifically targeting Mozilla Firefox users, the company said.
The two zero-day vulnerabilities, CVE 2013-0643 and CVE 2013-0648, were being exploited in targeted attacks where users were tricked into clicking on a link to a website hosting malicious Flash files, Adobe said in its security advisory. The company did not credit any organisation or researcher who found the zero-day vulnerabilities, but credited IBM X-force for reporting the third security hole.
Adobe security engineers at the RSA Conference also declined to provide any additional information.
"The exploit for Cve 2013-0643 and CVE 2013-0648 is designed to target the Firefox browser," Adobe said in the advisory.
Attackers could trigger the vulnerabilities to cause Flash Player to crash and gain remote control of the computer, Adobe said. The zero-day bugs are related to a permissions issue with the Flash Player Firefox sandbox and a flaw in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code. The third, currently not yet being exploited, bug was a buffer overflow vulnerability in a Flash Player broker service, and could be used to execute malicious code, Adobe said.
The update affects all versions of Flash on Windows, Mac OS X, and Linux. Users can download the latest version from the Adobe website, or turn on background updates and let the software grab the version automatically. Google and Microsoft will update Flash on Chrome and Internet Explorer 10 (for Windows 8) separately.
This Flash update is the second out-of-band patch for Flash Player this month, the third Adobe patch in the month of February, and fourth such patch released in 2013 so far.
It's been almost a year since Adobe turned on autmatic updates for Flash and Reader, and the update rate has been tremendous, Brad Arkin, senior director security and privacy at Adobe, told SecurityWatch at the RSA Conference. The previous model where users were prompted to download the latest updates were not sufficient to get users to actually patch Flash Player, Arkin said. With the shift to background updates, the success rate has been significant.