Adobe today patched a pair of critical vulnerabilities in Flash Player and told IT administrators to apply the update within 30 days.
The update was the second for Flash this year; Adobe last patched it less than three weeks ago .
"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in an accompanying security advisory issued around 3 pm ET.
One of the bugs was a memory corruption vulnerability in Matrix3D - an Adobe ActionScript class that determines the position of three-dimensional objects in Flash - and, said Adobe, "could lead to code execution."
The second, less serious vulnerability, was labelled an "information disclosure" bug.
Unlike last month's Flash update, attackers have not yet begun exploiting these vulnerabilities, said Adobe.
Because of that, Adobe tagged today's Flash Player update as "Priority 2," the midpoint of a new three-label advisory system the company quietly announced last week in a blog post by David Lenoe, group manager of Adobe's product security incident response team.
Arguing that "All critical security updates are not created equal," Lenoe said Adobe was instituting a three-step update recommendation ranking.
Priority 1 will be reserved for updates Adobe believes should be applied immediately by consumers, and within 72 hours by enterprises. These updates, said Lenoe, will patch so-called "zero-day" bugs that are already being exploited by hackers.
By that definition, the 15 February Flash update would have been pegged as Priority 1.
Priority 2 updates - such as today's - should be deployed "soon" said Adobe, and suggested that corporate IT administrators roll them out within 30 days. "[These updates] resolve vulnerabilities in a product that has historically been at elevated risk ... [and] based on previous experience, we do not anticipate exploits are imminent," said Adobe last week.
Finally, Priority 3 updates will be those that Adobe will recommend administrators apply "at their discretion" because they "resolve vulnerabilities in a product that has historically not been a target for attackers."
Lenoe said the new priority ranking took into account historical attack patterns, the type of bug, the software affected and mitigations that may be available. Adobe will also continue to broadcast its already-in-use ratings, such as "critical," alongside the new priority labels.
"It's basically 1 for now, 2 for tomorrow and 3 for maybe," said Andrew Storms, director of security operations at nCircle Security, in an interview.
Storms also saw the new rankings as a logical move for Adobe, which has adopted several of Microsoft's security practices, including the latter's development process and for some products a regular patching schedule.
"This totally is a Microsoft catch up," said Storms of Adobe's new system, comparing it to Microsoft's monthly deployment recommendations of its Patch Tuesday updates. "It's almost the natural progression of any vendor that is doing regular security bulletins."
He also praised Adobe for the move, even though he said enterprise IT administrators would like more patching granularity from the company.
"It would be more worthwhile for IT if there were more than one update today, so we would stack the Adobe bulletins and decide where to put resources," he said, referring to the two patches included in Monday's update, one obviously more important than the other.
"Nonetheless it is a nice, quick ranking that lets me take one look to see whether the Adobe update addresses a zero-day [and if it does not], I can probably wait a day to assign resources to investigate," Storms added.," Storms added.
Adobe credited two Google security researchers, Tavis Ormandy and Fermin Serna, with reporting the Flash bugs.
Yesterday, when Google patched Chrome 17, it also refreshed the Flash Player bundled with the browser to include the patches Adobe issued to others today.
The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe's website. Alternately, users can run Flash's update tool or wait for the software to prompt them that a new version is available.
Android users can retrieve the new version from the Android Market