Posted on February 27, 2013 9:12 pm

Emergency Flash update blocks exploit targeted at Firefox

The last update of Flash Player was just two weeks ago and now it’s being updated again – this time to block exploits that target the Firefox browser. The new advisory points to three fixes in the update, two involved in blocking the Firefox exploit and one correcting a generally applicable, serious flaw. The problems affect Flash Player on Windows, Mac OS X and Linux, but do not appear to affect Flash on Android.

One of the corrected problems is a permissions problem with the Flash Player Firefox sandbox (CVE-2013-0643). This vulnerability has been being exploited in the wild with another, now fixed, hole in the ExternalInterface ActionScript feature of Flash, which allowed for the execution of arbitrary code (CVE-2013-0648). As is usual with Flash Player exploits, a victim would have to open a page with malicious SWF content in it to be exposed to attacks; Adobe notes the vulnerabilities are being used in a targeted attack which tries to trick the user into clicking a link that sends the user’s browser to such a page. A third buffer overflow vulnerability (CVE-2013-0504), discovered by IBM X-Force in the Flash Player broker service, could also be made to execute malicious code.

On 8 February, Adobe released emergency updates to Flash Player, taking its version number, on Windows and Mac, up to 11.5.502.149. Then further patches were released on 12 February as part of the regularly scheduled Patch Tuesday, bringing the version number up to 11.6.602.168. In the latest update the version number rises to 11.6.602.171 for Windows and Mac OS X versions; the updates can be downloaded from Adobe. Internet Explorer 10 users on Windows 8 should be automatically updated. Google Chrome users on all platforms should also be automatically updated to Chrome version 25.0.1364.97 which includes the fixed Flash. Linux users can download the latest version for Linux,

Windows users who update manually from the Adobe web site should remember to deselect the option to download the additional McAfee Security Scan Plus application.