The software giant repaired two Flash Player vulnerabilities that could be used by attackers to execute malicious code or cause a denial-of-service condition. One of the errors could be used by attackers to obtain sensitive information via unspecified vectors, Adobe said. The update, issued Monday, affects users of Flash Player running on Windows, Macintosh, Linux and Solaris, as well as Flash Player for Google Android devices.
Adobe said it is not aware of any exploits in the wild attempting to target either vulnerability. Danish vulnerability clearinghouse Secunia issued a Flash Player advisory, giving the update a “highly critical” rating. Secunia said the issues stem from Flash Player’s Matrix3D engine, which is designed to position and orient a three-dimensional (3D) display object.
Adobe’s Brad Arkin on security research, vulnerability management
Adobe makes pitch for defensive security research to cripple exploit writing
Adobe vulnerability management: Arkin on the new threat landscape
The Flash Player update is the first one using the Adobe Priority Rating System. The critical update issued this week was given a “Priority 2” rating, meaning there are currently no known exploits in the wild and Adobe does not anticipate any imminent exploits targeting the flaws.
In a blog post about the new rating system, David Lenoe, group manager of the Adobe Product Security Incident Response Team (PSIRT), said the priority ratings give patching admins a better way to prioritize patch testing and deployment processes.
“All critical security updates are not created equal,” Lenoe wrote. “For example, if a Flash Player issue is being exploited in the wild, the update to resolve the vulnerability deserves a much higher priority than, say, a patch for a critical vulnerability in Photoshop.”
Vulnerabilities being targeted in the wild will be given “Priority 1” rating, meaning administrators should install the update within 72 hours or as soon as possible. A “Priority 3” rating is for updates that are optional because historically the software has not been a target for attackers.
“We’re going to base our priority ranking on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place,” Lenoe said. “This is a new system, so we may find that adjustments will need to be made.”
Adobe introduced Mozilla Firefox support for its Flash Player protected mode feature last month. The company has been engineering a sandbox environment for the browser component. The protected mode, also available in Google Chrome, isolates Flash Player from critical processes, making it more difficult for attackers to break out of the Flash component into a victim’s system.