Adobe patches Flash again, but not the flaws exploited at Pwn2Own

As promised last year, Adobe has been issuing its scheduled Flash updates on the second Tuesday of each month – the same day that Microsoft chose for its monthly Patch Tuesday.

Yesterday’s cumulative Flash update addressed vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system: an integer overflow vulnerability (CVE-2013-0646), a use-after-free and a heap buffer overflow vulnerability (CVE-2013-0650 and CVE-2013-1375, respectively) and a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

What is missing from the update is a patch for the three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) that the team from Vupen security chained together to exploit Adobe Flash on IE 9 on Windows 7 at the Pwn2Own competition held last week at the CanSecWest conference in Vancouver.

While a patch for them would have been welcome, its absence is not that surprising. The time frame between the two events is rather short, and even a well-oiled machine such as Microsoft hasn’t managed to patch the two zero-days that the Vupen team exploited to achieve a full IE 10 on Windows 8 compromise with sandbox bypass in time for its regular Patch Tuesday.

Users who update their Flash manually can pick up the patched versions for Windows, Mac and Linux at Adobe’s Plash Player official download page.