There are multiple reports emerging of two new vulnerabilities in Adobe Flash that could lead to remote code execution. There's little information about the exact nature of the bugs available right now, and Adobe has not released any advisories or information about them either.
The vulnerabilities were disclosed on Tuesday by Russian vulnerability research company Intevydis in a post to the Daily Dave mailing list
run by Immunity Inc. Intevydis does not provide information to vendors on vulnerabilities it discovers in their products, and the message on the mailing list had few details, other than to say that the exploits bypass ASLR and DEP and work against Windows 7 and older versions.
"Flash exploit makes use of two vulnerabilities, bypasses DEP/ASLR and works on Windows 7/WinXP with FF, Chrome and IE. OSX version is coming," Evgeny Legerov of Intevydis said in the message.
The news of the Flash vulnerabilities comes close on the heels of Adobe's disclosure of critical flaws in Reader and Acrobat, which are being used in targeted attacks right now. Adobe is planning to issue patches for some of the affected products next week, while the others will be patched next month in the scheduled patch release. That vulnerability has been used in targeted attacks recently, and there are reports that defense contractors are among the main targets.
Adobe officials said they have not received any information from Intevydis on the Flash bugs.