Today Adobe released another update to its ubiquitous Flash Player for all platforms (Windows, Linux, Mac OS X) to address what it says are critical security vulnerabilities. The update addresses two identified vulnerabilities (CVE-2013-0643 and CVE-2013-0648); an attacker who exploited these vulnerabilities might cause a system crash, or be able to take control of the affected system.
According to Adobe’s Security Bulletin [APSB13-08], the following versions of the software are vulnerable:
- Adobe Flash Player 11.6.602.168 and earlier versions for Windows
- Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh
- Adobe Flash Player 184.108.40.2060 and earlier versions for Linux
For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page. The new version for Mac OS X and Windows is 11.6.602.171; for Linux, the new version is 220.127.116.113. (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.) The Flash Player bundled with Google Chrome will be automatically updated to version 11.6.602.171.
There are reports that these vulnerabilities are being actively exploited, primarily in attacks against the Firefox browser running on Windows systems. The exploit attempts to trick the user into visiting a Web site with malicious Flash content. Because of this, and because Flash Player has always been an attractive target for the Bad Guys, I recommend that you update your systems as soon as you conveniently can.
Windows users who have the silent update option enabled should receive the new version automatically. Windows or Mac OS X users can get the update using the update mechanism built into the software. Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page. Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.
Ars Technica has a brief article on this update, which is the third for Flash Player this month.