Adobe issues emergency patch for zero-day Flash vulnerabilities

The company says two vulnerabilities are being actively exploited and recommends that Windows and Mac OS X users of the browser plug-in update their systems immediately.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
2 min read

Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.

Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a Web site serving malicious Flash content," the advisory stated, identifying the vulnerabilities by their Common Vulnerabilities & Exposures. "The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."

Adobe assigned a Priority 1 rating to the vulnerabilities being exploited on Windows and Mac OS X and advised users of both operating systems to install the update within 72 hours. That rating -- Adobe's highest threat level -- identifies "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The bulletin also assigned a Flash vulnerability facing Linux users a Priority 3 rating, which refers to "a product that has historically not been a target for attackers."

Adobe recommends users update to the latest versions:

  • Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
  • Users of Adobe Flash Player and earlier versions for Linux should update to Adobe Flash Player
  • Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh, and Linux.
  • Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.

The update is Adobe's third this month and its second emergency update in less than three weeks. A fix for two zero-day threats issued on February 8 addressed vulnerabilities that affected all versions of Flash on Windows, Mac, Linux, and Android.