Third time's the charm? Adobe patches even more critical Flash vulnerabilities
- — 27 February, 2013 19:00
On Tuesday, Adobe released yet another security patch for Flash player, addressing several critical vulnerabilities that would allow attackers to take control of affected computers. The update is for Windows, OSX, and Linux users. It's the fourth critical Flash update since the beginning of the year--and the third Flash security patch from Adobe in February alone.
A total of three serious exploits (CVE-2013-0504, CVE-2013-0643 and CVE-2013-0648) are addressed in this update, which Adobe said are already being used in the wild in targeted attacks. These exploits are designed to trick the user into clicking a link that redirects to a website where the computer is exposed to malicious Flash (SWF) files. Two of the exploits specifically target users of the Firefox browser.
These are "zero-day" exploits, meaning there were reports of users being hacked using the vulnerabilities. Adobe recommends Windows and Mac users update to Flash version 11.6.602.171 as soon as possible, either manually from the Adobe website, or via your browser's own update service. (Chrome and IE 10 users on Windows 8 are updated automatically.) If you download manually, make sure you deselect the default option to download McAfee Security Scan Plus as well.
The previous Flash patches this month addressed exploits that were designed to trick the user into opening a Microsoft Word document which contained malicious Flash content, as well as a vulnerability targeting Flash in Firefox and Safari for Macs. Adobe also had a critical security exploit fix in February for Adobe Reader. (If you're sick of Reader's frequent security headaches, we recently detailed a trio of PDF readers that are targeted much less frequently than Adobe's software.)
Flash isn't the only Web technology targeted by hackers this year. Oracle has also released several emergency updates for Java this month, after discovering exploits that allowed computers to be controlled remotely without authorization.