On March 6, Adobe released two “critical” fixes for its Flash Player. The fixes apply to all versions of Flash running on the Android, Solaris, Linux, Macintosh, and Windows platforms. Based on Adobe’s official statement, if these vulnerabilities remain unpatched, a system can crash and it also might allow an attacker to take control. The first fix deals with a “memory corruption vulnerability in Matrix3D.” If left unfixed, this might lead to attackers being able to execute remote code. The second vulnerability addresses integer errors. This security issue may lead to attackers exploiting a hole in the information disclosure process. Adobe is fixing both vulnerabilities before any reports of exploits of these flaws.
This set of fixes comes only 20 days since Flash’s last release of fixes. The previous fix package handled seven security vulnerabilities.
This latest fix package is notable because it is the first security update that institutes Adobe’s new system for priority ratings. Unveiled during the week of Feb 27 at Adobe’s website, the rating system rank threats based on a three priority scale ranked system. The new system was meant to make the risk rating for Adobe’s fixes as direct and simple as possible. The rating scale is composed of Priority 1, Priority 2, and Priority 3. Priority 3 fixes have the lowest severity on the priority scale. These are usually fixes for issues found in Adobe products that usually are low attack priority targets. These can be updated at the discretion of IT admins. Priority 2 fixes, which include the latest fix release, handles exploits that are normally hard to execute in Adobe products which have been prior attack targets. Adobe recommends that users and network admins apply Priority 2 fixes no later than 30 days of their release. Finally, Priority 1 fixes addresses exploits that are currently taking place in the wild. Adobe recommends that users apply the fix within 72 hours of its release.