Release date: February 7, 2013
Last updated: February 12, 2013
Vulnerability identifier: APSB13-04
Priority: See table below
CVE number: CVE-2013-0633, CVE-2013-0634
Platform: All Platforms
Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
Adobe recommends users update their product installations to the latest versions:
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.
To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.
Adobe recommends users update their software installations by following the instructions below:
Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:
Product | Updated version | Platform | Priority rating |
---|---|---|---|
Adobe Flash Player | 11.5.502.149 | Windows and Macintosh | 1 |
11.2.202.262 | Linux | 3 | |
11.1.115.37 | Android 4.x | 3 | |
11.1.111.32 | Android 3.x and 2.x | 3 | |
Adobe AIR | 3.6.0.597 | Windows, Macintosh and Android | 3 |
Adobe AIR SDK | 3.6.0.599 | Windows, Macintosh and Android | 3 |
These updates address critical vulnerabilities in the software.
Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
Adobe recommends users update their product installations to the latest versions:
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2013-0633).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-0634).
Affected software | Recommended player update | Availability |
---|---|---|
Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh | 11.5.502.149 | Flash Player Download Center |
Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh - network distribution | 11.5.502.149 | Flash Player Licensing |
Flash Player 11.2.202.261 and earlier for Linux | 11.2.202.262 | Flash Player Download Center |
Flash Player 11.1.115.36 and earlier for Android 4.x | 11.1.115.37 | Applicable only for Android 4.x devices with Flash Player installed prior to August 15, 2012. |
Flash Player 11.1.111.31 and earlier for Android 3.x and 2.x | 11.1.111.32 | Update to devices that already have Flash Player installed prior to August 15, 2012. |
Flash Player 11.5.31.137 and earlier for Chrome users (Windows, Macintosh and Linux) | 11.5.31.139 | Google Chrome Releases |
Flash Player 11.3.378.5 and earlier in Internet Explorer 10 for Windows 8 | 11.3.379.14 | Windows Download Center |
AIR 3.5.0.1060 and earlier for Windows and Macintosh | 3.6.0.597 | AIR Download Center |
AIR 3.5.0.1060 SDK | 3.6.0.599 | AIR SDK Download |
AIR 3.5.0.1060 and earlier for Android | 3.6.0.597 | Google play (browse to on an Android device) Amazon Marketplace (browse to on an Android device) |
Adobe would like to thank the following individuals and organization for reporting the relevant issues and for working with Adobe to help protect our customers:
February 12, 2013: Bulletin updated with AIR updates.
February 7, 2013: Bulletin posted.