Date: 08 May 2012
References: ESB-2012.0490 ESB-2012.0731
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0440
Security update available for Adobe Flash Player
8 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0779
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb12-09.html
Comment: There are reports that the vulnerability is being exploited in the
wild in active targeted attacks designed to trick the user into
clicking on a malicious file delivered in an email message.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Flash Player
Release date: May 4, 2012
Vulnerability identifier: APSB12-09
Priority: See table below
CVE number: CVE-2012-0779
Platform: All Platforms
Summary
Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier
versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and
earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier
versions for Android 3.x and 2.x. These updates address an object confusion
vulnerability (CVE-2012-0779) that could cause the application to crash and
potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in
active targeted attacks designed to trick the user into clicking on a malicious
file delivered in an email message. The exploit targets Flash Player on
Internet Explorer for Windows only.
Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions
for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235.
Flash Player installed with Google Chrome was updated automatically, so no user
action is required. Users of Adobe Flash Player 11.1.115.7 and earlier versions
on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of
Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier
versions should update to Flash Player 11.1.111.9.
Affected software versions
Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh
and Linux operating systems
Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and
Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and
2.x
To verify the version of Adobe Flash Player installed on your system, access
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use
multiple browsers and did not choose to receive updates silently (Windows users
only at this time), perform the check for each browser you have installed on
your system.
To verify the version of Adobe Flash Player for Android, go to Settings >
Applications > Manage Applications > Adobe Flash Player x.x.
Solution
Adobe recommends users update their software installations by following the
instructions below:
Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions
for Windows, Macintosh, and Linux update to the newest version 11.2.202.235 by
downloading it from the Adobe Flash Player Download Center. Windows users of
Flash Player 11.2.x who have selected the silent update option will receive the
update automatically. Windows users who do not have the silent update option
enabled and users of Adobe Flash Player 10.3.x or later for Macintosh can
install the update via the update mechanism within the product when prompted.
Flash Player installed with Google Chrome was updated automatically, so no user
action is required.
For users who cannot update to Flash Player 11.2.202.235, Adobe has developed a
patched version of Flash Player 10.x, Flash Player 10.3.183.19, which can be
downloaded here.
Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.8 by browsing to Google
play on an Android device. Users of Adobe Flash Player 11.1.111.8 and earlier
versions for Android 3.x and earlier versions should update to Flash Player
11.1.111.9 by browsing to Google play on an Android device.
Priority and Severity ratings
Adobe categorizes these updates with the following priority ratings and
recommends users update their installations to the newest versions:
Product
Updated Version
Platform
Priority Rating
Adobe Flash Player 11.2.202.235 Windows 1
11.2.202.235 Macintosh and Linux 2
11.1.115.8 Android 4.x 2
11.1.111.9 Android 3.x and 2.x 2
These updates address a critical vulnerability in the software.
Details
Adobe released security updates for Adobe Flash Player 11.2.202.233 and
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address
an object confusion vulnerability (CVE-2012-0779) that could cause the
application to crash and potentially allow an attacker to take control of the
affected system. There are reports that the vulnerability is being exploited in
the wild in active targeted attacks designed to trick the user into clicking on
a malicious file delivered in an email message. The exploit targets Flash
Player on Internet Explorer for Windows only.
Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions
for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235.
Flash Player installed with Google Chrome was updated automatically, so no user
action is required. Users of Adobe Flash Player 11.1.115.7 and earlier versions
on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of
Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier
versions should update to Flash Player 11.1.111.9.
Affected software Recommended player update Availability
Flash Player 11.2.202.233 and earlier 11.2.202.235 Flash Player Download Center
Flash Player 11.1.102.63 and earlier - 11.2.202.235 Flash Player Licensing
network distribution
Flash Player 11.1.115.7 and earlier 11.1.115.8 Google play
for Android 4.x (browse to on an Android device)
Flash Player 11.1.111.8 and earlier 11.1.111.9 Google play
for Android 3.x and 2.x (browse to on an Android device)
Acknowledgments
Adobe would like to thank Microsoft Vulnerability Research (MSVR) for
reporting this issue and for working with Adobe to help protect our customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT6iP/O4yVqjM2NGpAQJ3TBAAv6umIrTCbT32rCGJdQNDP7dPekAumsRh
PqNVxbWxbwHq6ROvC9j4EAHuiv9O8aJqpXTf+NGpik427Vske8b00okYrgKg8Lxd
p78Vov+CJwaZNomrgq2nnmJChCtt/+Ud+X0wQNGiWinfvwQLOHBxwu4Hcm7Nxnvz
U1KKoogqa+fhFWsJS6Y/L3LW4RGa5F6LY7oetuZu/O58ElGpZImhaOgKBay/IH4B
rDSDduAjN7zyJ5ybLpwUROYXX3RKm7b81fuG2EegUHPZGhndUG5xvM15U9MuJVC/
JVYq9WVhblR/cQsFvJ2/TndG/4pbe3GFZib4qk3EVmfUF3ize6PqHa9NXHOZW+Fg
VlkYoDRx1fJaGIj867YJojeM6GbpJwHJuyhLRPxsufi6KZrajOUUra4P4Uskc0ZX
GL9+EIX1jCL4xpRm29Lh9zUlfTxXetuoQxAJkTppPWGIRDJvdWRV1Y6O1UVvywE3
MGJzax1a/LRB14s20T7gSMY8zzfYsgKrsxy8FlaB/zCs3our/qe4f/p2AFBgiAQG
APWy8+wYyg9bubi05Dr3pv0dFiefGcVSweRtxvH5YDJExit7n7l0wrGpqJEuk2nY
m59bYyPwEo3TcMaBrEsXcVlHlbUczISpqeEGVFZq4Y9gs+rhjsMlaZ7z15Ek+dec
ahPM31I1iso=
=/5At
-----END PGP SIGNATURE-----
|