Adobe released an urgent fix on Thursday for recent versions of Flash Player, citing ongoing attacks against both Windows, Apple Mac, Linux and Android systems.Adobe advised customers to update Flash as soon as possible, citing active attacks that exploit a vulnerability in the software.
Adobe released the security updates to fix a vulnerability, CVE-2013-0633 in Flash Player, noting that the vulnerability is being exploited “in the wild” (that is: on the public Internet) in targeted attacks. The attacks involve both web based attacks via malicious or compromised web sites and e-mail based attacks.
The web based attacks use malicious Flash (SWF-format) content and target vulnerable versions of the Flash Player for the Firefox and Safari web browsers. The e-mail attacks use a malicious Microsoft Word document delivered as an e-mail attachment. The document contains malicious Flash (SWF) content and the email tries to trick the recipient into opening it.
The vulnerability in question, CVE-2013-0633 is described as a buffer overflow in Adobe Flash Player that “allows remote attackers to execute arbitrary code via crafted SWF content.”
The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows and affects Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 126.96.36.1991 and earlier versions for Linux, Adobe Flash Player 188.8.131.52 and earlier versions for Android 4.x, and Adobe Flash Player 184.108.40.206 and earlier versions for Android 3.x and 2.x.
Other vendors were quick to respond. Microsoft released an update that fixes the vulnerabilities in Adobe Flash Player in Internet Explorer 10 on Windows 8.
Holes in commonly used technology like Flash are among the most useful to attackers, as they will work on a wide variety of platforms and have a high probability of success. Adobe has taken strides to shore up its core product suite, including Flash, Shockwave, Adobe Reader and Acrobat in recent years. However, the company has had a rough go of it lately. In September, the company disclosed a high profile compromise on its network that involved an internal build server. Adobe said at the time that the company’s source code wasn’t stolen and that hackers didn’t have access to code for any of Adobe’s core products like Adobe Reader or Flash.