Users of Internet Explorer 10 and Chrome will be updated automatically by Microsoft and Google respectively (Google’s Security Team found 20 of the 26 Reader vulnerabilities). Users of other browsers should ensure that their own versions are updated. The latest Flash can be downloaded from the Flash Player Download Center, but Brian Krebs warns “that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page (I long ago stopped waiting for Flash’s auto-updater to kick in).”
The SecurityStreet Rapid7 blog reports that “Adobe has identified at least the Windows version of this [Flash] vulnerability as being exploited in the wild,” and that, “Again, Adobe has identified the Windows 9.5 version of this [Acrobat/Reader] patch as being actively exploited in the wild.” In an email, however, Adobe stated that in both cases, “Adobe is not aware of any exploits or attacks in the wild targeting any of the issues addressed in these updates.”
Nevertheless Adobe does warn that the Windows platform has a higher likelihood of being targeted than other platforms, and that both Flash and Reader should be updated as soon as possible. Since the updates include ‘critical’ vulnerabilities – that is, vulnerabilities that could, if exploited, allow malicious native code to execute without user awareness – it is important for all users to update their versions.
Further details on the Reader/Acrobat vulnerabilities and instructions on how to update different versions can be found in Security Bulletin APSB13-02. Adobe Reader updates can be downloaded directly from http://get.adobe.com/reader.
Further details on the Flash vulnerability can be found in Security Bulletin APSB13-01.
The ColdFusion advisory can be found in Security Bulletin APSA13-01.