Adobe Emergency Patch, Part III

Wednesday, February 27, 2013 @ 03:02 PM gHale


Another vulnerability, another update. That has been the pattern Adobe has been following of late as it released its third another security update for its Flash Player product this month.

The emergency update patches three vulnerabilities, including two critical (CVE-2013-0643 and CVE-2013-0648) that are targeting Flash Player in Mozilla’s Firefox browser and could let an attacker crash and compromise affected systems.

RELATED STORIES
Adobe Emergency Patches, Again
Security Fixes; PDF Viewer in Firefox 19
Developer Site Zero Day Attack Source
Adobe Mitigation Plan for Zero Day

According to a post on Adobe’s Product Security Incident Response Team (PSIRT) blog, both of the vulnerabilities are suffering exploitation via targeted attacks. Adobe claims some attackers are tricking users into clicking a link that leads them to a website serving up malicious SWF files.

The fix affects Flash Player 11.2.202.270 and earlier for Windows, Flash Player 11.6.602.167 and earlier for Macintosh and Flash Player 11.2.202.270 and earlier for Linux.

The fix also resolves a permissions issue with Firefox’s Flash Player sandbox and a buffer overflow vulnerability in the Flash Player’s broker service.

Adobe last fixed Flash Player two weeks ago when it fixed 17 vulnerabilities with a regularly scheduled update. That patch only came a few days after the company issued an out-of-band patch for two Zero Day vulnerabilities undergoing exploitation.

One of those Zero Days (CVE-2013-0633) was affecting Microsoft Office documents while the other zero day (CVE-2013-0634), similar to the vulnerability just patched, targeted Firefox browsers, along with Mac OS X systems via malicious .SWF files.



Leave a Reply

You must be logged in to post a comment.