Date: 10 August 2011
References: ASB-2011.0063 ESB-2011.0838 ESB-2011.0843 ESB-2011.1127
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0827
Security update available for Adobe Flash Player
10 August 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Adobe AIR
Publisher: Adobe
Operating System: Windows
Mac OS X
Linux variants
Solaris
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2425 CVE-2011-2417 CVE-2011-2416
CVE-2011-2415 CVE-2011-2414 CVE-2011-2140
CVE-2011-2139 CVE-2011-2138 CVE-2011-2137
CVE-2011-2136 CVE-2011-2135 CVE-2011-2134
CVE-2011-2130
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Flash Player
Release date: August 9, 2011
Vulnerability identifier: APSB11-21
CVE number: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136,
CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417,
CVE-2011-2425
Platform: All platforms
Summary
Critical vulnerabilities have been identified in Adobe Flash Player
10.3.181.36 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 10.3.183.5. Users of Adobe Flash Player for Android
10.3.185.25 and earlier versions should update to Adobe Flash Player
for Android 10.3.186.3. Users of Adobe AIR 2.7 for Windows and
Macintosh, should update to 2.7.1 and users of AIR 2.7 for Android
should update to Adobe AIR 2.7.1.1961.
Note: Adobe is not aware of any exploits 'in the wild' for the issues
addressed in this update.
Affected software versions
* Adobe Flash Player 10.3.181.36 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems
* Adobe Flash Player 10.3.185.25 and earlier versions for Android
* Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and
Android
To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content
running in Flash Player and select "About Adobe (or Macromedia) Flash
Player" from the menu. If you use multiple browsers, perform the check
for each browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings
> Applications > Manage Applications > Adobe Flash Player 10.x.
Solution
Adobe recommends all users of Adobe Flash Player 10.3.181.36 and
earlier versions for Windows, Macintosh, Linux and Solaris upgrade to
the newest version 10.3.183.5 by downloading it from the Adobe
Flash Player Download Center. Windows users and users of Adobe Flash
Player 10.3.181.16 or later for Macintosh can install the update via
the auto-update mechanism within the product when prompted.
Users of Adobe Flash Player for Android 10.3.185.25 and earlier
versions should update to Adobe Flash Player for Android 10.3.186.3 by
downloading it from the Android Marketplace by browsing to it on a
mobile phone.
Adobe recommends users of Adobe AIR 2.7 for Windows and Macintosh,
should update to Adobe AIR 2.7.1 and users of Adobe AIR 2.7 for
Android should update to Adobe AIR 2.7.1.1961 from the Android
Marketplace by browsing to it on a mobile phone.
Severity rating
Adobe categorizes this as a critical update and recommends users
update their installations to the newest versions.
Details
Critical vulnerabilities have been identified in Adobe Flash Player
10.3.181.36 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 10.3.183.5. Users of Adobe Flash Player for Android
10.3.185.25 and earlier versions should update to Adobe Flash Player
for Android 10.3.186.3. Users of Adobe AIR 2.7 for Windows and
Macintosh, should update to 2.7.1 and users of AIR 2.7 for Android
should update to Adobe AIR 2.7.1.1961.
Note: Adobe is not aware of any exploits 'in the wild' for the issues
addressed in this update.
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2130).
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2134).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2135).
This update resolves an integer overflow vulnerability that could lead
to code execution (CVE-2011-2136).
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2137).
This update resolves an integer overflow vulnerability that could lead
to code execution (CVE-2011-2138).
This update resolves a cross-site information disclosure vulnerability
that could lead to code execution (CVE-2011-2139).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2140).
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2414).
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2415).
This update resolves an integer overflow vulnerability that could lead
to code execution (CVE-2011-2416).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2417).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2425).
Affected software Recommended player update Availability
Flash Player 10.3.181.34 and earlier 10.3.183.5 Flash Player
Download Center
Flash Player 10.3.181.34 and earlier - network distribution 10.3.183.5
Flash Player Licensing
Flash Player 10.3.185.25 and earlier for Android 10.3.186.3
Android Marketplace
(browse to on an Android phone)
Flash Player 10.3.181.36 and earlier for Chrome users 10.3.183.5
Google Chrome Releases
AIR 2.7 2.7.1 AIR Download Center
AIR 2.7 for Android 2.7.1.1961
Android Marketplace
(browse to on an Android phone)
Acknowledgments
Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:
* Brandon Hardy (CVE-2011-2139)
* Yang Dingning of NCNIPC, Graduate University of Chinese Academy of
Sciences (CVE-2011-2134)
* Wushi of Team 509 via iDefense Labs (CVE-2011-2135)
* Alexander Zaitsev of Positive Technologies (CVE-2011-2137)
* Anonymous reporter via Tipping Point's Zero Day Initiative
(CVE-2011-2138)
* Anonymous reporter via Tipping Point's Zero Day Initiative
(CVE-2011-2140)
* Bo Qu of Palo Alto Networks (CVE-2011-2414, CVE-2011-2415 )
* Honggang Ren of Fortinet's FortiGuard Labs (CVE-2011-2415,
CVE-2011-2425)
* Vitaliy Toropov via iDefense Labs (CVE-2011-2416,
CVE-2011-2136)
* Marc Schoenefeld (Dr. rer. nat.) of the Red Hat Security
Response Team(CVE-2011-2417)
Adobe would also like to thank Tavis Ormandy and the Google Chrome team
for their great work on several improvements to this Flash Player
release.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTkH+Me4yVqjM2NGpAQJYNw//X9hLbZ9ipEeR6e6pIXRUUaWHM/sS1KN+
UMUef8KppXaaIL7g+40CUMM2CbZUH13irL/85UdjDH4Kla2YOoknS+yz4vwTemXW
oq7SUZhmQHjLXCpwmofkEQlX1JAwJXf18sqMbZHQYGCk/FOMFt4wkbARfc/t7uli
828eSQCvQZSAZ+ktcMBrPzMV3eXAWbrTo69VQ1hK+6JkcNILzQRIX+huc25+LVTF
cXKt8Co8fXi+79MHpwAkWOV3CBN8Ifh1D7d92R7pLFAkxjwXNESbsi9DaUKuBAX8
IvEJKPfM8BcbkmaV89Ww1CyFc1RLvs2UX08OHSpbGBl+6XsOPWKD3jgMqjKp24eh
cWZqe6RppCZjEWhXr+N9TNCHTgHifvLa6KvyeWHdiErIBSbXvPh+/Xd6JYTUXoNz
zBx2+KNMrqswgnZuSBmuErBipDV5bkgRuSRnbtqzj3ZAGaGxD3z7ei8LGCWRDSmk
53Mc57NnHdtU8bJzBdZEXF4QZToeey7O+zOUm3LZ6dwlcFfhh8Y2u1Ymea/I+qCs
LdaG8i9iJDkM6IVODgr/qQjMjTGJYwJkIKCS0F78JEpZNNLKwOQz7NZKjsm3CuYf
9M8jpTgaAMXK3T0wxHU16dvAUZaq76NfqKIC4Ad+gF5etREpWDRSBv6BWklMDAfS
VFvUtGC1jYg=
=cDHC
-----END PGP SIGNATURE-----
|