Adobe released yet another security update for its Flash Player product, it’s third this month, earlier today. The emergency update patches three vulnerabilities, including two critical (CVE-2013-0643 and CVE-2013-0648) that are targeting Flash Player in Mozilla’s Firefox browser and could let an attacker crash and compromise affected systems.
According to a post on Adobe’s Product Security Incident Response Team (PSIRT) blog, both of the vulnerabilities are being exploited in the wild via targeted attacks. Adobe claims some attackers are tricking users into clicking a link that leads them to a website serving up malicious SWF files.
The fix affects Flash Player 220.127.116.110 and earlier for Windows, Flash Player 11.6.602.167 and earlier for Macintosh and Flash Player 18.104.22.1680 and earlier for Linux.
Apparently the fix also resolves a permissions issue with Firefox’s Flash Player sandbox and a buffer overflow vulnerability in the Flash Player’s broker service.
Adobe last fixed Flash Player just two weeks ago when it fixed 17 vulnerabilities with a regularly scheduled update. That patch only came a few days after the company issued an out-of-band patch for two zero day vulnerabilities that were being exploited in the wild.
One of those zero days (CVE-2013-0633) was affecting Microsoft Office documents while the other zero day (CVE-2013-0634), similar to the vulnerability that was patched today, was found targeting Firefox browsers, along with Mac OS X systems via malicious .SWF files.