Although the known activity specifically targets Firefox users, Microsoft has simultaneously revised its Security Advisory 2755801, noting that IE 10 users will be updated automatically, and “customers using the Adobe Flash Player plug-in with Internet Explorer on Windows 7 should review Adobe’s guidance.” Users of browsers other than Firefox should therefore not ignore this update. Chrome users, like IE 10 users, will be automatically updated via the browser’s update mechanism.
The two exploited vulnerabilities are CVE-2013-0643 (a permissions issue with the Flash Player Firefox sandbox) and CVE-2013-0648 (a vulnerability in the ExternalInterface ActionScript feature). Adobe says simply that they are “are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content.” Little else is known. The Adobe advisory does not credit anyone with the discovery of the vulnerabilities, nor is it publicly known whether these exploits have been successful against any particular target, or precisely how targeted these ‘targeted attacks’ really are.
Firefox has been improving its security against browser plug-in vulnerabilities with a click-to-play feature. “Click to Play allows users to easily choose if they wish to run a plugin on a particular site,” it announced last month. Surprisingly, it added, “Our plan is to enable Click to Play for all versions of all plugins except the current version of Flash.” Computerworld comments on the latest Adobe fix, “But because the attacks mentioned by Adobe were exploiting unpatched vulnerabilities in the most-up-to-date Flash Player, Firefox's click-to-play defense, even had it been fully implemented -- according to Mozilla's blacklist, it had not -- would not have protected its users.”
The third vulnerability patched by Adobe resolves “a buffer overflow vulnerability in a Flash Player broken service, which can be used to execute malicious code.”