Adobe has released an out-of-band security update for its Flash player in order to address two vulnerabilities. Security experts say the vulnerabilities are currently being exploited in the wild.
Ars Technica’s Dan Goodin reported, “Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple’s Macintosh platform. While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday’s unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible.”
SlashGear’s Brittany Hillen added, “This follows reports that CVE-2013-0633 is being actively exploited in the wild in an attack that tricks users into downloading and opening a Word doc included as an email attachment. The file contains harmful Flash content, and is specific to Windows users running ActiveX. Those who download the security update won’t have to worry about this. Likewise, reports have also rolled in showing that CVE-2013-0634 is also being exploited, this one via malicious Flash content found on websites. The content specifically targets Flash in Safari and Firefox for Mac users. The same is also used to exploit Windows users via the tainted Word doc attached to an email.”
Computerworld’s Greg Keizer noted, “The out-of-band, or emergency, update was Flash’s first of the year and the first since Adobe moved the media software to a regular update schedule last fall.”
CNET’s Topher Kessler advised, “In addition to ensuring your Flash software is up to date, you might also consider limiting the amount of Flash content that is automatically allowed to run on your system. As with Java, Flash is yet another runtime that has its vulnerabilities and even though Adobe will keep on top of them with updates, it may be safest to only allow Flash content to run when needed. To do this, consider installing a plug-in manager for your browser such as ClickToFlash, ClickToPlugin, or NoScript that will require you activate each instance of the Flash plug-in that your browser is using.”