Date: 25 September 2012
References: ESB-2012.0814
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0800.2
Security updates available for Adobe Flash Player
25 September 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Publisher: Adobe
Operating System: Windows
Mac OS X
Linux variants
Impact/Access: Denial of Service -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-4168 CVE-2012-4167 CVE-2012-4166
CVE-2012-4165 CVE-2012-4164 CVE-2012-4163
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb12-19.html
Revision History: September 25 2012: Added information regarding CVE-2012-4171
and CVE-2012-5054
August 22 2012: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Security updates available for Adobe Flash Player
Release date: August 21, 2012
Last updated: September 24, 2012
Vulnerability identifier: APSB12-19
Priority: See table below
CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166,
CVE-2012-4167, CVE-2012-4168, CVE-2012-4171, CVE-2012-5054
Platform: All Platforms
Summary
Adobe has released security updates for Adobe Flash Player 11.3.300.271 and
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates
address vulnerabilities that could cause a crash and potentially allow an
attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest
versions:
Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows
and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux
should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to
the latest Google Chrome version, which will include Adobe Flash Player
11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for
Macintosh.
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.16.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to
Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update
to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should
update to the Adobe AIR 3.4.0.2540.
Affected software versions
Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh
and Linux operating systems
Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
Adobe AIR 3.3.0.3650 and earlier versions for Android
To verify the version of Adobe Flash Player installed on your system, access
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use
multiple browsers, perform the check for each browser you have installed on
your system.
To verify the version of Adobe Flash Player for Android, go to Settings >
Applications > Manage Applications > Adobe Flash Player x.x.
To verify the version of Adobe AIR installed on your system, follow the
instructions in the Adobe AIR TechNote.
Solution
Adobe recommends users update their software installations by following the
instructions below:
Adobe recommends users of Adobe Flash Player 11.3.300.271 and earlier
versions for Windows and Macintosh should update to the newest version
11.4.402.265 by downloading it from the Adobe Flash Player Download Center.
Windows users and users of Adobe Flash Player 10.3.x or later for Macintosh
can also install the update via the update mechanism within the product
when prompted.
Adobe recommends users of Adobe Flash Player 11.2.202.236 and earlier
versions for Linux should update to Adobe Flash Player 11.2.202.238 by
downloading it from the Adobe Flash Player Download Center.
For users who cannot update to Flash Player 11.4.402.265, Adobe has
developed a patched version of Flash Player 10.x, Flash Player 10.3.183.23,
which can be downloaded here.
Flash Player installed with Google Chrome will automatically be updated to
the latest Google Chrome version, which will include Adobe Flash Player
11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for
Macintosh.
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.17 by updating to
devices that already have Flash Player installed prior to August 15, 2012.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.16 by
updating to devices that already have Flash Player installed prior to August
15, 2012.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to
Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update
to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should
update to Adobe AIR 3.4.0.2540 by browsing to Google Play or the Amazon
Marketplace on an Android device.
Priority and Severity ratings
Adobe categorizes these updates with the following priority ratings and
recommends users update their installations to the newest versions:
Product Updated Version Platform Priority Rating
Adobe Flash Player 11.4.402.265 Windows 1
11.4.402.265 Macintosh 2
11.2.202.238 Linux 3
11.1.115.17 Android 4.x 3
11.1.111.16 Android 3.x and 2.x 3
Adobe AIR 3.4.0.2540 Windows and Macintosh 3
3.4.0.2540 SDK (including AIR for 3
iOS) and Android
These updates address critical vulnerabilities in the software.
Details
Adobe has released security updates for Adobe Flash Player 11.3.300.271 and
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates
address vulnerabilities that could cause a crash and potentially allow an
attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest
versions:
Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows
and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux
should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to
the latest Google Chrome version, which will include Adobe Flash Player
11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for
Macintosh
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.16.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to
Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update
to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should
update to the Adobe AIR 3.4.0.2540.
These updates resolve memory corruption vulnerabilities that could lead to code
execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
These updates resolve an integer overflow vulnerability that could lead to code
execution (CVE-2012-4167).
These updates resolve a cross-domain information leak vulnerability
(CVE-2012-4168).
These updates resolve a crash caused by a logic error involving multiple
dialogs in Firefox (CVE-2012-4171).
These updates resolve a Matrix3D integer overflow vulnerability that could
lead to code execution (CVE-2012-5054).
Affected software Recommended player update Availability
Flash Player 11.3.300.271 and 11.4.402.265 Flash Player Download Center
earlier for Windows and
Macintosh
Flash Player 11.3.300.271 and 11.4.402.265 Flash Player Licensing
earlier - network distribution
Flash Player 11.2.202.236 and 11.2.202.238 Flash Player Download Center
earlier for Linux
Flash Player 11.1.115.11 and 11.1.115.17 Update to devices that already have Flash Player installed prior to August 15, 2012
earlier for Android 4.x
Flash Player 11.1.111.10 and 11.1.111.16 Update to devices that already have Flash Player installed prior to August 15, 2012
earlier for Android 3.x and
2.x
Flash Player 11.3.300.271 and 11.3.31.230 Google Chrome Releases
earlier for Chrome users
(Windows and Linux)
Flash Player 11.3.300.271 and 11.4.402.265 Google Chrome Releases
earlier for Chrome users
(Macintosh)
AIR 3.3.0.3670 and earlier for 3.4.0.2540 AIR Download Center
Windows and Macintosh
AIR 3.3.0.3690 SDK (includes 3.4.0.2540 AIR SDK Download
AIR for iOS) and earlier
AIR 3.3.0.3650 and earlier 3.4.0.2540 Google Play
for Android (browse to on an Android device)
Amazon Marketplace
(browse to on an Android device)
Acknowledgments
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:
Xu Liu of Fortinet's FortiGuard Labs (CVE-2012-4163)
Will Dormann of CERT (CVE-2012-4164)
Honggang Ren of Fortinet's FortiGuard Labs (CVE-2012-4165, CVE-2012-4166)
Alexander Gavrun through iDefense's Vulnerability Contributor Program
(CVE-2012-4167)
Claudio Santambrogio of Opera Software ASA (CVE-2012-4168)
Attila Suszter (CVE-2012-4171)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUGEwL+4yVqjM2NGpAQJs7Q/+PrrDNgBb4iBEvyX8iotXUWc3Jd07RPmU
7AflcI/uy26Ims96Z9LbQNgHsfV/Hja5Yi8p1z+irdl1SIYuSYqJCgBzdZ2wu4Od
4iniT6+g2F0c18lH4msyNY14tmlX3hlnQwbpBavwAQFJWl+d1oqLCg2IZDcFjrdT
IIAETVHjmsJ4j86VDaegp9ju2CUtEPlo+BtiChxrzBh3lfNmmIJeDdYG+ApDU+/s
uwE9/0AZrrGUNysuCXLnBzsG8stlp4STdyQ3y47x7boGBssgFCjWw7VIwCEHqiHV
5E0gPyW77kDhO7axe8ERH6sRoNBn1AjGSC7zTuxKrMicbfoJVgJH9YG6ftWCHnXm
qcrhWsqCwsK+7K4nyz6Kn7nxaySR8cKry8g9G+LwiiuyVI+ujE6vuM0JyY2GtvpY
As0QBI2IG+Crn8PzIKGDu56jGDf6rm1ZpITteYgp7PR/8drNxA3HY/VDPrjZYlPd
Zc6krMt0O8bOAg3A8YDKekOndVNAcfZpBkfJnhIUN3hYNt4AF5VsAidNgpkK4OQ7
pVNY0A/z1n15w0/5Jmq14gNGBP+kAJm2sMzQOYQowsfWmjVSYIC82jN4yqoqKUre
bYeL2OCZ0Ff8kxFBIj02aNgmPVW2eH8a7KVbumdlOB5cFkCbv5VLmwNZ5+FpEdek
8gI/KjbLhJ8=
=pMYz
-----END PGP SIGNATURE-----
|