Exploit for one security hole already exists, possibly in use
Adobe announced that two security vulnerabilities (CVE-2013-5331 and CVE-2013-5332) available in Flash Player 11.9.900.152 had been addressed in the recently released update for the software.The company received reports that an exploit existed for CVE-2013-5331, but it has not released information about its being actively leveraged, although some sources suggest so.
The exploited vulnerability could trick the user into opening a Microsoft Word document with malicious Flash (SWF) content inside.
However, Adobe informs that this type of attack can be foiled through the Click-to-Play for Office feature, implemented back in Flash Player 11.6 and designed for Microsoft Office versions without Protected View feature to warn users that content may be harmful.
Protected View was introduced in Office 2010 and kicks off when the document is considered to be from an unreliable source, limiting privileges of the content in the file. In the case of Flash, content is prevented from executing by default.
The current Flash Player update (11.9.900.170 for Windows and Mac; 188.8.131.522 for Linux) does away with some “type confusion” and “memory corruption” vulnerabilities that could lead to code execution.
Apart from security fixes, the new revision brings to the table various repairs touching mostly on functionality on Windows 8 and 8.1. It also does away with a glitch in Google Chrome (Windows) that caused some 3D content to be rendered only in the lower left corner of the screen.
Adobe Shockwave Player has also increased its build number, to 184.108.40.206, after receiving security updates for two critical flaws (memory corruption) that could allow an attacker to run malicious code on the affected machine.
Both in the case of Flash and Shockwave Player Adobe issued the updates with the highest priority rating, which implies that the vulnerabilities are already targeted in the wild or present a higher risk to be; it is recommended to install them with the utmost urgency.