In addition to resolving the two vulnerabilities being exploited in the wild, Adobe also resolved “a buffer overflow vulnerability in a Flash Player broken service, which can be used to execute malicious code.” These updates were posted under Adobe’s sixth security bulletin for February (APSB13-08) and should conclude what has been a busy month for the software company’s security team. Adobe recommends that all Mac users update to Adobe Flash Player 11.6.602.171 immediately. Flash Player versions for other operating systems have also been updated.
In Adobe’s security bulletin, the company posted a brief description of the vulnerabilities being exploited in the wild:
Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.
Following are details of the three vulnerabilities covered in this Flash update:
Users of Adobe Flash Player 11.6.602.167 and earlier versions for Mac OS X should download the 16.14 MB update to Adobe Flash Player 11.6.602.171 as soon as possible. Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Macintosh, Linux, and Windows operating systems.