In an apparent effort to address vulnerabilities that target the Firefox web browser, Adobe today released a security update to Flash Player. Updates were provided for Windows, Mac, and Linux platforms, where the vulnerabilities could allow an attacker to take control of an afflicted system. Adobe recommends that users update their Flash Player installations.
In its security bulletin, Adobe states that it is patching three vulnerabilities, and it is aware of reports that two of the three vulnerabilities are being exploited "in the wild". The targeted attacks are reportedly designed to lure a user into clicking a link to a web site that serves malicious Flash (SWF) content. Adobe's security bulletin lists the following issues as being resolved in this release:
- This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643).
- This update resolves a vulnerability in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code (CVE-2013-0648).
- This update resolves a buffer overflow vulnerability in a Flash Player broker service, which can be used to execute malicious code (CVE-2013-0504).
Plug-in woes have persisted so far in 2013. This is the second security update for Flash Player released by Adobe in February, not unlike Oracle's multiple Java updates this month. Adobe's first February update of Flash Player had a Priority 1 Rating, which addressed Critical vulnerabilities that could also allow an attacker to take control of an infected system.
Because the ParaChat Flash Chat client utilizes the Flash Player installation on end user systems, we recommend that you keep your Flash Player installation up to date.