Adobe patches Flash again, but not the flaws exploited at Pwn2Own
Posted on 13 March 2013.
As promised last year, Adobe has been issuing its scheduled Flash updates on the second Tuesday of each month - the same day that Microsoft chose for its monthly Patch Tuesday.

Yesterday's cumulative Flash update addressed vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system: an integer overflow vulnerability (CVE-2013-0646), a use-after-free and a heap buffer overflow vulnerability (CVE-2013-0650 and CVE-2013-1375, respectively) and a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

What is missing from the update is a patch for the three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) that the team from Vupen security chained together to exploit Adobe Flash on IE 9 on Windows 7 at the Pwn2Own competition held last week at the CanSecWest conference in Vancouver.

While a patch for them would have been welcome, its absence is not that surprising. The time frame between the two events is rather short, and even a well-oiled machine such as Microsoft hasn't managed to patch the two zero-days that the Vupen team exploited to achieve a full IE 10 on Windows 8 compromise with sandbox bypass in time for its regular Patch Tuesday.

Users who update their Flash manually can pick up the patched versions for Windows, Mac and Linux at Adobe's Plash Player official download page.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st