Date: 12 June 2012
References: ESB-2012.0543
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0526
Security update available for Adobe Flash Player
12 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Adobe Air
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2040 CVE-2012-2039 CVE-2012-2038
CVE-2012-2037 CVE-2012-2036 CVE-2012-2035
CVE-2012-2034
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb12-14.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security updates available for Adobe Flash Player
Release date: June 8, 2012
Vulnerability identifier: APSB12-14
Priority: See table below
CVE number: CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037,
CVE-2012-2038, CVE-2012-2039, CVE-2012-2040
Platform: All Platforms
SUMMARY
Adobe released security updates for Adobe Flash Player 11.2.202.235 and
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates
address vulnerabilities that could cause a crash and potentially allow
an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest
versions:
o Users of Adobe Flash Player 11.2.202.235 and earlier versions for
Windows and Macintosh should update to Adobe Flash Player 11.3.300.257.
o Users of Adobe Flash Player 11.2.202.235 and earlier versions for
Linux should update to Adobe Flash Player 11.2.202.236.
o Flash Player installed with Google Chrome will be updated automatically,
so no user action is required. Google Chrome users can verify that they
have updated to Google Chrome version 19.0.1084.56, which includes Adobe
Flash Player 11.3.300.257.
o Users of Adobe Flash Player 11.1.115.8 and earlier versions on Android
4.x devices should update to Adobe Flash Player 11.1.115.9.
o Users of Adobe Flash Player 11.1.111.9 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.10.
o Users of Adobe AIR 3.2.0.2070 for Windows, Macintosh and Android should
update to Adobe AIR 3.3.0.3610.
AFFECTED SOFTWARE VERSIONS
o Adobe Flash Player 11.2.202.235 and earlier versions for Windows,
Macintosh and Linux operating systems
o Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and
Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x
o Adobe AIR 3.2.0.2070 and earlier versions for Windows, Macintosh
and Android
To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content running
in Flash Player and select "About Adobe (or Macromedia) Flash Player"
from the menu. If you use multiple browsers, perform the check for each
browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings >
Applications > Manage Applications > Adobe Flash Player x.x.
To verify the version of Adobe AIR installed on your system, follow the
instructions in the Adobe AIR TechNote.
SOLUTION
Adobe recommends users update their software installations by following
the instructions below:
o Adobe recommends users of Adobe Flash Player 11.2.202.235 and earlier
versions for Windows and Macintosh should update to the newest version
11.3.300.257 by downloading it from the Adobe Flash Player Download
Center. Windows users of Flash Player 11.2.x who have selected the silent
update option will receive the update automatically. Windows users who
do not have the silent update option enabled and users of Adobe Flash
Player 10.3.x or later for Macintosh can also install the update via
the update mechanism within the product when prompted.
o Adobe recommends users of Adobe Flash Player 11.2.202.235 and earlier
versions for Linux should update to Adobe Flash Player 11.2.202.236 by
downloading it from the Adobe Flash Player Download Center.
o Flash Player installed with Google Chrome will be updated automatically,
so no user action is required. Google Chrome users can verify that they
have updated to Google Chrome version 19.0.1084.56, which includes Adobe
Flash Player 11.3.300.257.
o For users who cannot update to Flash Player 11.3.300.257, Adobe
has developed a patched version of Flash Player 10.x, Flash Player
10.3.183.20, which can be downloaded here. Users of Adobe Flash Player
11.1.115.8 and earlier versions on Android 4.x devices should update to
Adobe Flash Player 11.1.115.9 by browsing to Google play on an Android
device.
o Users of Adobe Flash Player 11.1.111.9 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.10 by
browsing to Google play on an Android device.
o Adobe recommends users of Adobe AIR 3.2.0.207 and earlier versions
for Windows, Macintosh and Android update to Adobe AIR 3.3.0.3610.
PRIORITY AND SEVERITY RATINGS
Adobe categorizes these updates with the following priority ratings and
recommends users update their installations to the newest versions:
Product Updated Version Platform Priority Rating
Adobe Flash Player 11.3.300.257 Windows and Macintosh 2
11.2.202.236 Linux 3
11.1.115.9 Android 4.x 3
11.1.111.10 Android 3.x and 2.x 3
Adobe AIR 3.3.0.3610 Windows, Macintosh, and Android 3
These updates will address critical vulnerabilities in the software.
DETAILS
Adobe released security updates for Adobe Flash Player 11.2.202.235 and
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates
address vulnerabilities that could cause a crash and potentially allow
an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest
versions:
o Users of Adobe Flash Player 11.2.202.235 and earlier versions for
Windows and Macintosh should update to Adobe Flash Player 11.3.300.257.
o Users of Adobe Flash Player 11.2.202.235 and earlier versions for
Linux should update to Adobe Flash Player 11.2.202.236.
o Flash Player installed with Google Chrome will be updated automatically,
so no user action is required. Google Chrome users can verify that they
have updated to Google Chrome version 19.0.1084.56, which includes Adobe
Flash Player 11.3.300.257.
o Users of Adobe Flash Player 11.1.115.8 and earlier versions on Android
4.x devices should update to Adobe Flash Player 11.1.115.9.
o Users of Adobe Flash Player 11.1.111.9 and earlier versions for Android
3.x and earlier versions should update to Flash Player 11.1.111.10.
o Users of Adobe AIR 3.2.0.2070 for Windows, Macintosh and Android should
update to Adobe AIR 3.3.0.3610.
These updates resolve a memory corruption vulnerability that could lead
to code execution (CVE-2012-2034).
These updates resolve a stack overflow vulnerability that could lead to
code execution (CVE-2012-2035).
These updates resolve an integer overflow vulnerability that could lead
to code execution (CVE-2012-2036).
These updates resolve a memory corruption vulnerability that could lead
to code execution (CVE-2012-2037).
These updates resolve a security bypass vulnerability that could lead
to information disclosure (CVE-2012-2038).
These updates resolve null dereference vulnerabilities that could lead
to code execution (CVE-2012-2039).
These updates resolve a binary planting vulnerability in the Flash Player
installer that could lead to code execution (CVE-2012-2040).
Affected software Recommended player update Availability
Flash Player 11.2.202.235
and earlier for Windows 11.3.300.257 Flash Player Download Center
and Macintosh
Flash Player 11.2.202.235
and earlier - network 11.3.300.257 Flash Player Licensing
distribution
Flash Player 11.2.202.235
and earlier for Linux 11.2.202.236 Flash Player Download Center
Flash Player 11.1.115.8 Google play
and earlier for Android 4.x 11.1.115.9 (browse to on an Android device)
Flash Player 11.1.111.9
and earlier for Android 3.x 11.1.111.10 Google play
and 2.x (browse to on an Android device)
Flash Player 11.2.202.235
and earlier for Chrome users 11.3.300.257 Google Chrome Releases
AIR 3.2.0.2070 3.3.0.3610 AIR Download Center
AIR 3.2.0.2070 for Android 3.3.0.3610 Google play
(browse to on an Android device)
ACKNOWLEDGMENTS
Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:
wushi of team509 through iDefense's Vulnerability Contributor Program
(CVE-2012-2034)
Manuel Caballero at Microsoft Vulnerability Research (MSVR) (CVE-2012-2035)
Haifei Li at Microsoft Malware Protection Center (MMPC) and Microsoft
Vulnerability Research (MSVR) (CVE-2012-2036)
Kai Lu of Fortinet's FortiGuard Labs (CVE-2012-2037)
Mitsuaki Shiraishi (Symantec Japan, Inc.) (CVE-2012-2038)
Tavis Ormandy of the Google Security Team (CVE-2012-2039)
An anonymous reporter (CVE-2012-2040)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT9aYIe4yVqjM2NGpAQLd4A//RE2b1R3o8jsU4/nPlTA/8R38bW+TWww/
xnwsvvP1lHKJ7iu5Sy3Iw38bikkAJYK7t6l0ho950jIck/c7E3L2tJtJlxdPP6nI
T+/UNe2Qm378nwPiUNTKYxRE4W9BFRkKVx6/JYWnd25xtoWl5vRvjvhJcrpVYpQt
Ag1PITtDPq8T/hdJgKfJSQttgj0qj4HsssrvitYR6Y1vs9oFrG5uI6h0SlJeXBFq
is4Fj+V77YN2+rIgKIAUYdK5CkksltD8kEajnTKsFqPqKKtyWc+E1PwaxXCTaEKK
b6yZO3Uxngs/59p69WCVfRt14cvh9gEZKVGENxgAXQgO+Y9U5YX9OIBJqaLZTSO2
7R46pVXqtUdPCsNJXI3oos+TmPMvgly/S6xvf3SOLaEjYWlfw40c0+kQA3hBbQ/C
qY5kSv9IOpif+xk9aCRa6LXh4yN07bWKojjY4OJpmbGgUo6SQSL6Q7ZJ4kwQ4icE
JL1GvHZvBn3iKId7WhHDhi5f6drVsavoxRpf0EAKxm6Sq/d2mhrG0dvgLbFWshp9
svE1FD4617YRN3VxWQnqjMbhDmFlakEAW4Md6mjvZBOJ4DObHDd0FL0714XUdkRT
C+BS0GvJ3CAYVRBWsFwYiohLHJirgoa8lSkHw/EPCcOgkKyMmeuYtiYvy1TkcsPO
jkjn5P0m+zM=
=yoKU
-----END PGP SIGNATURE-----
|