Second Adobe Flash Fix in a Month Released
Adobe released a patch late Tuesday that targets two vulnerabilities in its Flash Player.
Classified as "critical," the fix affects all versions of Flash running on Windows, Macintosh, Linux, Solaris and the Android mobile platform. According to Adobe, if unpatched, "these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," the company said in a security bulletin.
The first vulnerability the fix addresses is a "memory corruption vulnerability in Matrix3D." If unattended to, this could lead to a remote code execution attack. The second item addressed patches integer errors that may lead to an attacker exploiting an information disclosure hole.
Both vulnerabilities are receiving a fix before the flaws have been exploited in the open, according to Adobe.
This week's security update arrives only 20 days after Flash's last fix took care of seven vulnerabilities in the company's multimedia platform.
Tuesday's fix from Adobe is noteworthy due to the fact that it is the first update to institute the company's new priority ratings system, unveiled last week on the Adobe Web site.
"We want to be as simple and direct as possible about the real-world risk associated with the vulnerabilities addressed in any given security update, and we decided that adopting a separate priority ranking scheme was the best way to accomplish this," said Adobe's David Lenoe, in a blog post.
The rating system is based on a three-part ranking scale, with updates being labeled either Priority 1, Priority 2 or Priority 3.
Priority 3 fixes are the least severe, and typically take care of issues found in products that are low priorities for attacks. Adobe recommends that they be updated at the discretion of network admins.
Priority 2, which Tuesday's Flash patch is classified as, takes care of exploits that are hard to pull off in Adobe products that have a history of attacks. The company suggests that Priority 2 fixes be rolled out within 30 days of the update being issued.
Finally, Priority 1 updates target exploits that are currently being exploited in the wild. Adobe recommends these be patched within 72 hours of a fix release.
Tuesday's Adobe Flash update can be downloaded here.