On Wednesday, Adobe released an out-of-band update for its Flash technology that addresses three security vulnerabilities. This is Adobe’s third emergency update this month and the second this month for Flash.
InformationWeek’s Matthew J. Schwartz reported, “Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users’ systems. According to Adobe’s security bulletin, ‘these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.'”
ZDNet’s Ellyne Phneah added, “Adobe also assigned a Priority 1 rating, its highest threat level, to the vulnerabilities exploited on Windows and Mac OS X, and advised users of both operating systems to install the update within 72 hours. This vulnerability identifies vulnerabilities being targeted or have a higher risk of being targeted. The note also assigned Priority 3 rating to a Flash vulnerability facing Linux users, which refers to products historically not a target of attackers.”
SecurityWatch’s Fahmida Y. Rashid noted, “Users can download the latest version from the Adobe website, or turn on background updates and let the software grab the version automatically. Google and Microsoft will update Flash on Chrome and Internet Explorer 10 (for Windows 8) separately.”
Computerworld’s Greg Keizer observed, “Tuesday’s ‘out-of-band’ came less than three weeks after a Feb. 8 fix for two exploited-in-the-wild flaws. Adobe has also issued two other regularly scheduled updates for Flash this year as part of its plan to synchronize its security releases with Microsoft’s monthly Patch Tuesdays. The frequent Flash updates only add to what has become a hectic start to the year for security experts and IT administrators: Oracle has also shipped multiple updates for Java in the last two months, including a pair of rush updates to quash actively exploited bugs.”