Adobe has issued an emergency Flash update that will patch two vulnerabilities, classified as Priority 1, that are being actively exploited online.
The first of the two exploits is CVE-2013-0634 in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. The same exploit is also targeting Windows users in which it attempts to trick people into opening a poisoned Word document that contains malicious Flash content, attached to an email.
The second exploit to be discovered is CVE-2013-0633 which targets Windows users and as with CVE-2013-0634, it attempts to trick people into opening a Word document containing malicious Flash content.
The news of these two exploits was revealed on the same day that Adobe announced that it was planning on tightening up the security around the way people access Flash content contained within Microsoft Office file, giving them better protection against opening malicious files
To protect users of Office 2008 and earlier, the upcoming release of Flash Player will determine whether Flash Player is being launched within Microsoft Office and check the version of Office. If Flash Player is launched within a version prior to Office 2010, Flash Player will prompt the end-user before executing the Flash content with the dialogue below:
Affected Version of Flash:
- Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
- Adobe Flash Player 11.2.202.261 and earlier versions for Linux
- Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
- Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x
To find out which version of Flash you are running, visit this link.
Users are being urged to download the latest release for the software to protect themselves. Windows and Mac OS X users can download the latest version of Flash which is v. 11.5.502.149 here.
Chrome and Internet Explorer 10 users will automatically have their updates pushed via their browsers. Today’s emergency patch for these exploits is also being made for Linux and Android users.
Adobe would like to thank Sergey Golovanov and Alexander Polyakov of Kaspersky Labs for reporting the CVE-2013-0633 exploit. For the CVE-2013-0634 exploit, thanks go to members of the Shadowserver Foundation, Lockheed Martin’s Computer Incident Response Team, and MITRE
