Adobe addresses two zero-day vulnerabilities, fixes buffer overflow

Feb 27, 2013 10:30 GMT  ·  By

Adobe rolled out a new update for Flash (11.6.602.171 for Windows and Mac, 11.2.202.273 for Linux), which addresses functional problems as well as security-related ones.

Falling into the first category are microphone SampleDataEvent glitches that have been reported when this major version was first released.

Security-wise, the developer did away with flaws that could lead to crashes and the possibility for an attacker to take control of the affected machine.

One of the vulnerabilities (CVE-2013-0648) was present in the ExternalInterface ActionScript feature and could be exploited to run malicious code. Another flaw (CVE-2013-0643) took advantage of a permissions issue with the Flash Player Protected Mode in Firefox (sandbox).

Both exploits target Firefox browser and have been reported as being exploited in the wild in targeted attacks. As per Adobe’s advisory note, the user would be tricked “into clicking a link which directs to a website serving malicious Flash (SWF) content.”

A buffer overflow vulnerability in a Flash Player broker service was addressed as well; the exploit relying on it would allow remote code execution.

Download Adobe Flash Player for Windows, Mac and Linux