Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.
Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.
"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a Web site serving malicious Flash content," the advisory stated, identifying the vulnerabilities by their Common Vulnerabilities & Exposures. "The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."
Adobe assigned a Priority 1 rating to the vulnerabilities being exploited on Windows and Mac OS X and advised users of both operating systems to install the update within 72 hours. That rating -- Adobe's highest threat level -- identifies "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The bulletin also assigned a Flash vulnerability facing Linux users a Priority 3 rating, which refers to "a product that has historically not been a target for attackers."
Adobe recommends users update to the latest versions:
- Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
- Users of Adobe Flash Player 22.214.171.1240 and earlier versions for Linux should update to Adobe Flash Player 126.96.36.1993.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh, and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.
The update is Adobe's third this month and its second emergency update in less than three weeks. A fix for two zero-day threats issued on February 8 addressed vulnerabilities that affected all versions of Flash on Windows, Mac, Linux, and Android.