Adobe today patched a pair of critical vulnerabilities in Flash Player and told IT administrators to apply the update within 30 days.
The update was the second for Flash this year; Adobe last patched it less than three weeks ago \.
[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in an accompanying security advisory issued around 3 p.m. ET.
One of the bugs was a memory corruption vulnerability in Matrix3D -- an Adobe ActionScript class that determines the position of three-dimensional objects in Flash -- and, said Adobe, "could lead to code execution."
The second, less serious vulnerability, was labeled an "information disclosure" bug.
Unlike last month's Flash update, attackers have not yet begun exploiting these vulnerabilities, said Adobe.
Because of that, Adobe tagged today's Flash Player update as "Priority 2," the midpoint of a new three-label advisory system the company quietly announced last week in a blog post by David Lenoe, group manager of Adobe's product security incident response team.
Arguing that "All critical security updates are not created equal," Lenoe said Adobe was instituting a three-step update recommendation ranking.
Priority 1 will be reserved for updates Adobe believes should be applied immediately by consumers, and within 72 hours by enterprises. These updates, said Lenoe, will patch so-called "zero-day" bugs that are already being exploited by hackers.
By that definition, the Feb. 15 Flash update would have been pegged as Priority 1.
Priority 2 updates -- such as today's -- should be deployed "soon" said Adobe, and suggested that corporate IT administrators roll them out within 30 days. "[These updates] resolve vulnerabilities in a product that has historically been at elevated risk ... [and] based on previous experience, we do not anticipate exploits are imminent," said Adobe last week.
Finally, Priority 3 updates will be those that Adobe will recommend administrators apply "at their discretion" because they "resolve vulnerabilities in a product that has historically not been a target for attackers."
Lenoe said the new priority ranking took into account historical attack patterns, the type of bug, the software affected and mitigations that may be available. Adobe will also continue to broadcast its already-in-use ratings, such as "critical," alongside the new priority labels.
"It's basically 1 for now, 2 for tomorrow, and 3 for maybe," said Andrew Storms, director of security operations at nCircle Security, in an interview conducted Monday via instant messaging.
Storms also saw the new rankings as a logical move for Adobe, which has adopted several of Microsoft's security practices, including the latter's development process and for some products a regular patching schedule.