Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple’s Macintosh platform.
While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday’s unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible.
The Mac exploits target users of the Safari browser included in Apple’s OS X, as well as those using Mozilla’s Firefox. That vulnerability, cataloged as CVE-2013-0634, is also being used in exploits that trick Windows users into opening booby-trapped Microsoft Word documents that contain malicious Flash content, Adobe said in an advisory. Adobe credited members of the Shadowserver Foundation, Lockheed Martin’s Computer Incident Response Team, and MITRE with discovery of the critical bug.
The other bug under attack, CVE-2013-0633, also works by tricking Windows users into opening a Word document containing malicious Flash content. It was discovered by researchers from antivirus provider Kaspersky Lab.
Adobe’s advisory came the same day the company announced plans to provide new protections designed to make it harder to target Flash contained in Microsoft Office files.%2