Adobe patches Flash player security hole

8 Feb, 2013

Emergency patch issued to combat new zero day threat.

Adobe has released an emergency security patch after another vulnerability was discovered in its Flash Player.

The patch addresses two critical vulnerabilities on both the Windows and Mac OS X platforms. The flaws were being exploited in the wild, according to Adobe.

The firm has also issued fixes for Linux and Android systems and should be implemented as soon as possible, the firm said.

The first vulnerability, CVE-2013-0633, was discovered by researchers at anti-virus firm Kaspersky. The flaw targets Windows users through malicious Flash content embedded in Microsoft Word documents sent via email. The vulnerability is said to cause a buffer overflow and is aimed at the ActiveX version of Flash Player on Windows.

The second vulnerability, CVE-2013-0634, is exploited using websites containing malicious SWF content that target Flash Player in Firefox or Safari on OS X. This flaw was discovered by ShadowServer, MITRE and Lockheed Martin.

“Adobe recommends users apply the updates for their product installations,” the company said in an advisory.

Windows and Mac users should upgrade to version 11.5.502.149, available from the Flash Player Download Center, according to the emergency bulletin issued by Adobe. Google Chrome and IE 10 users will get updates to these browsers’ built-in Flash components via updates from Google and Microsoft respectively.

The news comes just before Microsoft's latest Patch Tuesday which sees 12 security bulletins being issued. Five are marked as critical and affect Internet Explorer, Windows and Microsoft Server. Seven of the 12 fixes require a restart.

Ross Barrett, senior manager of security engineering at Rapid7, said that Patch Tuesday will be bigger than average.

“It's both good and bad news that the patches are mostly clustered on Windows Operating System, without dipping too much into Office or more esoteric specialty Microsoft products,” he said.

“It's good because administrators probably don't have to worry about applying multiple patches for the same advisory to a single host. It's bad because an organisation with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.”

Read more about