Adobe has released a fix for a zero-day vulnerability in Flash Player, which impacts users running Windows, Mac and Linux operating systems.
The company yesterday urged Windows and Mac users to download Flash Player versions 126.96.36.199 and 11.7.700.261 (for those who cannot update to version 12.0). Those running Flash on Linux systems were directed to install version 188.8.131.526 of the plug-in.
The issue stems from an integer underflow vulnerability, which could allow an attacker to remotely take control of an affected system and execute malicious code.
Adobe said the previously unknown vulnerability, CVE-2014-0497, had been exploited in the wild.
In its bulletin, Adobe also directed users running versions of Flash for Chrome and Internet Explorer 10 and 11 web browsers to update to the newly released 184.108.40.206 plug-in.
Four critical vulnerabilites for Firefox
Mozilla also released a number of patches yesterday, including four of which address critical vulnerabilities.
Of the critical flaws outlined in Mozilla Firefox 27's 13 patches, one involves a crash when using web workers with asm.js, one involves use-after-free with imgRequestProxy and image processing, another involves incorrect use of discarded images by RasterImage, and the final one involves miscellaneous memory safety hazards, according to a security advisory.
Mozilla defines critical flaws as vulnerabilities that can be used to run attacker code and install software, requiring no interaction by users other than regular browsing.
“In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts,” according to a note posted in the description for each of the four critical vulnerabilities.
Wolfgang Kandek, CTO of Qualys, said the attacks deemed critical could allow an attacker to take over a targeted computer.
“Attacks of this type usually come through a website that the attacker controls, either itself a victim of the attacker that counts on the site's normal visitors to fall prey to the attack, or specifically setup for the task and then using ‘Search Engine Poisoning' to attract visitors to the site,” Kandek said.