Adobe Patches Flash Bugs, Attackers Targeted Firefox Users

If you are a Firefox user and missed the update released yesterday, Adobe has patched three security flaws that specifically targeted the Mozilla Firefox browser.Adobe patched three new security flaws in its near-ubiquitous Flash Player, of which two were already being exploited in the wild. Attackers were specifically targeting Mozilla Firefox users, the company said. 

The two zero-day vulnerabilities, CVE 2013-0643 and CVE 2013-0648, were being exploited in targeted attacks where users were tricked into clicking on a link to a Website hosting malicious Flash files, Adobe said in its security advisory released Tuesday. The company did not credit any organization or researcher who found the zero-day vulnerabilities, but credited IBM X-force for reporting the third security hole..

Adobe security engineers at the RSA Conference also declined to provide any additional information. “The exploit for Cve 2013-0643 and CVE 2013-0648 is designed to target the Firefox browser,” Adobe said in the advisory. Attackers could trigger the vulnerabilities to cause Flash Player to crash and gain remote control of the computer, Adobe said. The zero-day bugs are related to a permissions issue with the Flash Player Firefox sandbox and a flaw in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code. The third, currently not yet being exploited, bug was a buffer overflow vulnerability in a Flash Player broker service, and could be used to execute malicious code, Adobe said. The update affects all versions of Flash on Windows, Mac OS X, and Linux. Users can download the latest version from the Adobe website, or turn on background updates and let the software grab the version automatically. Google and Microsoft will update Flash on Chrome and Internet Explorer 10 (for Windows 8) separately.