Adobe today patched new vulnerabilities in Flash Player that hackers are now exploiting in attacks aimed at Firefox users, the company said.
[也:15 free security tools you should try]
Today's surprise update to Flash Player was the second emergency fix this month, the third overall for February, and the fourth since the start of 2013.
In the accompanyingadvisory, Adobe confirmed it was patching three vulnerabilities in the popular media player browser plug-in. Two of the trio, said Adobe, are being used by attackers.
"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash content," the advisory stated, listing the vulnerabilities by their Common Vulnerabilities & Exposures, or CVE, identifiers. "The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."
因此,Adobe挑出的两个缺陷是“零日”漏洞,意思是犯罪分子在错误修补之前利用攻击代码利用攻击代码。
Adobe did not credit a researcher for reporting either CVE-2013-0643 or CVE-2013-0648. And Mozilla did not immediately reply to questions about the attacks Adobe said were targeting only Firefox, or whether its security team had spotted the attacks and notified Adobe.
星期二的“乐队外面”在一个不到三个星期之后Feb. 8 fix for two exploited-in-the-wild flaws。Adobe has also issued two other regularly-scheduled updates for Flash this year as part of its plan to synchronize its security releases with Microsoft's monthly Patch Tuesdays.
The frequent Flash updates only add to what has become a hectic start to the year for security experts and IT administrators: Oracle has also shipped multiple updates for Java in the last two months, including a pair of rush updates to quash actively-exploited bugs.
"These past two months have been a whirlwind of advisories from vendors," noted Wolfgang Kandek, CTO of Qualys, in an interview via instant messaging today. "I think many IT shops have [had] a hard time keeping up."
Kandek also noted that it was unusual for a particular browser to be singled out.
In fact, Firefox recently lowered the boom on plug-ins. At the end of January, Mozilla announced it wasautomatically disabling all plug-ins in Firefoxexcept the latest version of Adobe's Flash Player, saying the drastic step was needed to safeguard users from "drive-by" attacks, which trigger exploits as soon as a victim visits a malicious or compromised website.
The feature, called "click-to-play," bars plug-in play, and has become popular as browser makers try to keep users safe from a rising tide of exploits that leverage bugs in plug-ins.
但由于Adobe提到的攻击在大多数最新的Flash播放器中利用了未分割的漏洞,Firefox的点击播放防御,甚至已经完全实现 - 根据Mozillablacklist,它没有——我们uld not have protected its users.
修补版本的Flash Playerfor Windows, Mac and Linux can be downloaded from Adobe's website. Windows and Mac users can also wait for Flash's automatic updating tool to kick in. Users of Google's Chrome and Microsoft's Internet Explorer 10 (IE10) on Windows 8 will receive the newest Flash via those browsers' own update mechanisms.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at@gkeizer, onGoogle+或订阅Gregg's RSS feed。他的电子邮件地址是gkeizer@computerworld.com。
Seemore by Gregg Keizer on Computerworld.com。
Read more about malware and vulnerabilitiesin Computerworld's Malware and Vulnerabilities Topic Center.
这个故事“Adobe Springs紧急闪光更新说,击中Firefox的黑客最初发布Computerworld 。