Adobe has released a patch for two Flash player vulnerabilities that are being actively exploited against Windows and OS X users to install malware on their systems. The first of them, CVE-2013-0633, works by tricking Windows users into opening a Word document containing malicious Flash content, while the bug, cataloged as CVE-2013-0634, can be exploited via Apple’s Safari or Mozilla’s Firefox browsers in both platform as well as Word documents booby-trapped with malicious Flash content on Windows.
Adobe credited members of the Shadowserver Foundation, Lockheed Martin's Computer Incident Response Team, MITRE, and antivirus provider Kaspersky Lab for their help in discovering the vulnerabilities. Although only OS X and Windows have been reported to be under attack, Linux and Android received an update as well.
Users are warned to update their software as soon as possible using the in-built updater or standalone installer.
Ars notes Adobe’s advisory came the same day the company announced that a future version of Flash will make this sort of embedded attacks in Microsoft Office documents more difficult to achieve. Namely, it will introduce a "click-to-play" prompt for users of Office 2008 and earlier so content only runs with user approval. Office 2010 and later already has a “Protected Mode” that limits the privileges of content within a document.
Mozilla also announced a similar security feature for an upcoming version of its Firefox browser. The change will happen gradually and eventually plug-ins like Silverlight, Adobe Reader, Java will be blocked by default. Flash will still be allowed to run but only when the most recent version is installed.