The patched vulnerabilities involve an integer overflow that could lead to code execution (CVE-2013-0646); a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650); and memory corruption and heap buffer overflow vulnerabilities that could lead to code execution (CVE-2013-1371 and CVE-2013-1375).
It is thought that none of the vulnerabilities are currently being exploited, but users are advised to update as soon as possible. Current versions of Internet Explorer 10 and Chrome will be updated automatically. Users of other browsers can discover their current Flash version here. Latest versions of the software can be downloaded from the Adobe download center, but note that Brian Krebs adds his usual warning, “beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.”
Discovery of two of the four vulnerabilities is attributed to the Google Security Team, one was reported anonymously through iDefense's Vulnerability Contributor Program, and one by Attila Suszter. Suszter has given more details on his discovery in his Reversing on Windows blog. “If an attacker can exploit the time window between the unload and the dereference, it's possible to redirect the execution flow,” he wrote.
Noticeably, but unsurprisingly, reports Computerworld, “Adobe did not patch the bug or bugs that a team from Vupen, a French vulnerability research and exploit-selling firm, used to hack Flash Player at last week's Pwn2Own contest. The Vupen team was awarded $70,000 for demonstrating their hack of Flash on IE9 running in Windows 7.”
Adobe has said that it plans to fix this/these vulnerabilities in its next scheduled update in April.