Adobe has released yet another security update for Flash Player, to address a new set of six vulnerabilities that even affect the company's most recent patch that was issued just last week.
Last week, Adobe urged Windows and Mac users to upgrade Flash Player to 11.3.300.271 and Linux users to upgrade to 18.104.22.168, to mitigate a vulnerability that was being exploited in the wild; victims would open a Microsoft Word document and become infected, or would be compromised via the ActiveX version of Flash Player for Internet Explorer. This vulnerability could cause the computer to crash and potentially allow attackers to take control.
Today, Symantec confirmed that attacks were indeed being carried out, observing over 1300 instances of malicious emails since 10 August. It pointed users to the 11.3.300.271 patch and urged them to keep their systems up to date.
But this patch is no longer effective against yet another set of vulnerabilities that affect all versions of Flash Player, including Android 4.x, 3.x and 2.x. Like the previous vulnerability, these could allow attackers to crash and take control of the targeted computer or device and has earned Adobe's highest severity rating of critical, leading Adobe to release a new patch only a week after the last.
Adobe has assigned the new Windows patch with a Priority 1 rating. This means that the company believes that the vulnerability is either being targeted, or has a high risk of being targeted, by an exploit that is available in the wild. It recommends updating to the newer 11.4.402.265 version of Flash Player as soon as possible.
The patch for Macs has a lower Priority 2 rating, meaning there are no known exploits in the wild, while Linux and Android have been assigned Priority 3. Adobe suggests users use their own discretion for these systems, as they are typically not targeted.
Adobe also released critical patches for its Windows, Macintosh, Android and the SDK (which includes AIR for iOS) versions of Adobe AIR, with a Priority 3 rating.