Adobe Systems issued an emergency, out-of-band security update for Flash Player repairing two flaws that the software maker said are being actively targeted by attackers.
Adobe said one of the flaws is being used on websites that target Flash Player in Firefox and Safari browsers. An attack using a malicious email attachment also has been detected targeting Windows users, luring them to open a Word document with hidden malicious code.
"These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its security advisory.
Adobe also addressed a buffer overflow vulnerability as part of its emergency update. Exploit code detected in the wild targets an ActiveX version of Flash Player on Windows and is being seen in active phishing attacks. Adobe said the attackers are also using a malicious Word document containing malicious Flash content.
The update impacts users of Flash Player on Windows, Mac, Linux and Android devices. Updates can be found on the Adobe Flash Player page. Adobe issued an update in January fixing 26 vulnerabilities in its Reader and Acrobat software as well as a critical flaw in Flash Player.
As part of its update, Adobe also said it was preparing to release a new security feature in Flash Player, enabling it to use a sandbox environment to isolate it from critical browser and PC processes.
Adobe introduced its Reader X software in November 2010, providing a sandbox environment to make PDF attacks more difficult for cybercriminals to carry out. Since the introduction of the security protection, "the most common Flash Player zero-day attack vector has been malicious Flash content embedded in Microsoft Office documents and delivered via email," said Peleus Uhley, a platform security strategist with Adobe's secure software engineering team.
In a blog entry outlining the upcoming Flash Player protection, Uhley said Flash Player will prompt users of Microsoft Office 2008 and earlier before executing Flash content. It prevents malicious content from immediately executing, he said. Microsoft Office 2010 includes a Protected Mode sandbox for limiting the privileges of content within the document.
"We've seen these types of user interface changes lead to shifts in attacker behavior in the past and are hopeful this new capability will be successful in better protecting Flash Player users from attackers leveraging this particular attack vector as well," Uhley wrote.