The update pack also comes with two fixes for high-risk flaws, both involving involve same-origin violation security bugs. The first exploit is based on loading an Adobe Flash file via the view-source: scheme. Apparently, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities.
First, the Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites, thus enabling attackers to perform CSRF attack. Second, the Flash file can read and write Local Shared Objects on a user’s machine and would enable attackers to place cookie-like objects on a user’s computer and track them across multiple sites.
Users will automatically receive the new update in the next 48 hours.