The two fixes are to CVE-2014-0503 and CVE-2014-0504.
CVE-2014-0503 was discovered and reported by Masato Kinugawa. It would allow an attacker to by-pass the same-origin policy, and could thus facilitate cross-site request-forgery attacks.
CVE-2014-0504 was discovered and reported by Jordan Milne. Adobe says it "could be used to read the contents of the clipboard." The Hacker News adds, "The Clipboard can be used to store data, such as text and images, but flaw could allow hacker to stuff malware URLs onto your clipboard."
"Both are rated as important, meaning they cannot be used to gain remote code execution on the targeted platforms," notes Wolfgang Kandek, CTO at Qualys.
Organizations or individual users running Chrome or Internet Explorer 10+ will have Flash updated automatically within the browser. Users who leave their systems running for extended periods will need to shut down and reboot in order for the updates to take effect. Users of all other browsers – or users with additional browsers installed – should take responsibility for updating Flash themselves.
"These updates address important vulnerabilities, and Adobe recommends users update their product installations to the latest versions," says Adobe. The latest version for Windows and Mac is 12.0.0.77. The latest version for Linux is 11.2.202.346.
Users can get the latest versions from the Adobe Flash Player Download Center, but Security Garden warns, "that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive. If you use the download center, uncheck any unnecessary extras... Any pre-checked option is not needed for the Flash Player update."