Another vulnerability, another update. That has been the pattern Adobe has been following of late as it released its third another security update for its Flash Player product this month.
The emergency update patches three vulnerabilities, including two critical (CVE-2013-0643 and CVE-2013-0648) that are targeting Flash Player in Mozilla’s Firefox browser and could let an attacker crash and compromise affected systems.
According to a post on Adobe’s Product Security Incident Response Team (PSIRT) blog, both of the vulnerabilities are suffering exploitation via targeted attacks. Adobe claims some attackers are tricking users into clicking a link that leads them to a website serving up malicious SWF files.
The fix affects Flash Player 220.127.116.110 and earlier for Windows, Flash Player 11.6.602.167 and earlier for Macintosh and Flash Player 18.104.22.1680 and earlier for Linux.
The fix also resolves a permissions issue with Firefox’s Flash Player sandbox and a buffer overflow vulnerability in the Flash Player’s broker service.
Adobe last fixed Flash Player two weeks ago when it fixed 17 vulnerabilities with a regularly scheduled update. That patch only came a few days after the company issued an out-of-band patch for two Zero Day vulnerabilities undergoing exploitation.
One of those Zero Days (CVE-2013-0633) was affecting Microsoft Office documents while the other zero day (CVE-2013-0634), similar to the vulnerability just patched, targeted Firefox browsers, along with Mac OS X systems via malicious .SWF files.