by Steven Musil / February 26
The company says two vulnerabilities are being actively exploited and recommends that Windows and Mac OS X users of the browser plug-in update their systems immediately.
Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.
Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.
"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a Web site serving malicious Flash content," the advisory stated, identifying the vulnerabilities by their Common Vulnerabilities & Exposures. "The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."
Adobe assigned a Priority 1 rating to the vulnerabilities being exploited on Windows and Mac OS X and advised users of both operating systems to install the update within 72 hours. That rating -- Adobe's highest threat level -- identifies "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The bulletin also assigned a Flash vulnerability facing Linux users a Priority 3 rating, which refers to "a product that has historically not been a target for attackers."
Adobe recommends users update to the latest versions:
The update is Adobe's third this month and its second emergency update in less than three weeks. A fix for two zero-day threats issued on February 8 addressed vulnerabilities that affected all versions of Flash on Windows, Mac, Linux, and Android.