Adobe Releases Emergency Patch for Two Zero-Day Flash Vulnerabilities


Adobe recently released security updates for Adobe Flash Player to address two vulnerabilities that could enable attackers to take control of the affected systems. Both vulnerabilities, the company says, are currently being exploited in the wild.

"Both Windows and Mac users are in the firing line," writes The Register's John Leyden. "One of the vulnerabilities (CVE-2013-0633) is being harnessed in targeted attacks designed to trick marks into opening a Microsoft Word document email attachment that contains malicious Flash (SWF) content. The exploit targets the ActiveX version of Flash Player on Windows."

"Adobe is also plugging a hole (CVE-2013-0634) predominantly leveraged to infect users' machines when they visit malicious websites in Firefox or Safari from their Mac," writes SC Magazine's Dan Kaplan. "Attackers are taking advantage of this flaw by duping Windows users into clicking on fake attachments masquerading as Word documents."

"[The second flaw] is credited to the incident response team at defence contractor Lockeed Martin, the MITRE organisation, and 'W' of the ShadowServer Foundation," The H Security reports. "This combination of reporters suggests that the attacks were targeted industrial espionage."

"To defend against the exploit you can either uninstall Flash or update to the latest version, which can be downloaded directly from Adobe," writes's Matthew Humphries. "The version you want to be running is Flash Player 11.5.502.149, which can be checked on Windows and Mac by visiting the About Adobe Flash Player page. Android users can check their version by navigating to Settings->Applications->Manage Applications and viewing the version listed there."