Adobe issues another patch for Flash vulnerabilities

In its third update this month, the Flash developer rolls out another emergency update addressing three vulnerabilities--two of which have been exploited in targeted attacks.
Written by Ellyne Phneah, Contributor
Two vulnerabilities CVE-2013-0643 and CVE-2013-0648 were exploited in targeted attacks, which tricked users into clicking a link directing them to a site with malicious Flash content.

Adobe Systems has released yet another emergency security update addressing three vulnerabilities in Flash, two of which have already been exploited by hackers.

In an advisory note released Tuesday, the company said it patched holes which could the system to a crash and potentially allow hackers to take control of the affected system.

Identifying the vulnerabilities by their Common Vulnerabilities & Exposures (CVE), Adobe said CVE-2013-0643 and CVE-2013-0648 had been exploited in targeted attacks to trick users into clicking a link directing them to a Web site containing malicious Flash content. The exploit for CVE-2013-0643 and CVE-2013-0648 was also designed to target the Firefox browser.

Adobe also assigned a Priority 1 rating, its highest threat level, to the vulnerabilities exploited on Windows and Mac OS X, and advised users of both operating systems to install the update within 72 hours. This vulnerability identifies vulnerabilities being targeted or have a higher risk of being targeted.

The note also assigned Priority 3 rating to a Flash vulnerability facing Linux users, which refers to products historically not a target of attackers.

This update is Adobe's third this month, with its second update less than three weeks ago. Two zero-day threats had been issued on February 8, addressing vulnerabilities affecting all versions of Flash or Windows, Mac, Linux, and Android. FireEye researchers on February 13 also warned users not to open PDFs from unknown sources in Adobe Reader, after they found a PDF zero-day being exploited in the wild. Adobe confirmed it was looking into this exploit.

Editorial standards