-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0331
         Multiple vulnerabilities identified in Adobe Flash Player
                             10 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   OS X
                   Linux variants
                   Android
                   Apple iOS
                   ChromeOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0985 CVE-2016-0984 CVE-2016-0983
                   CVE-2016-0982 CVE-2016-0981 CVE-2016-0980
                   CVE-2016-0979 CVE-2016-0978 CVE-2016-0977
                   CVE-2016-0976 CVE-2016-0975 CVE-2016-0974
                   CVE-2016-0973 CVE-2016-0972 CVE-2016-0971
                   CVE-2016-0970 CVE-2016-0969 CVE-2016-0968
                   CVE-2016-0967 CVE-2016-0966 CVE-2016-0965
                   CVE-2016-0964  

Original Bulletin: 
   https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: February 9, 2016

Vulnerability identifier: APSB16-04

Priority: See table below

CVE number: CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, 
CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, 
CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, 
CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, 
CVE-2016-0983, CVE-2016-0984, CVE-2016-0985

Platform: Windows, Macintosh and Linux

Summary

Adobe has released security updates for Adobe Flash Player. These updates 
address critical vulnerabilities that could potentially allow an attacker to 
take control of the affected system.

Affected Versions

Product 					Affected Versions 		Platform

Adobe Flash Player Desktop Runtime 		20.0.0.286 and earlier		Windows and Macintosh

Adobe Flash Player Extended Support Release 	18.0.0.326 and earlier 		Windows and Macintosh

Adobe Flash Player for Google Chrome 		20.0.0.286 and earlier 		Windows, Macintosh, Linux and ChromeOS

Adobe Flash Player for Microsoft Edge and 
Internet Explorer 11 				20.0.0.272 and Earlier 		Windows 10

Adobe Flash Player for Internet Explorer 11 	20.0.0.272 and earlier 		Windows 8.1

Adobe Flash Player for Linux 			11.2.202.559 and earlier 	Linux

AIR Desktop Runtime 				20.0.0.233 and earlier 		Windows and Macintosh

AIR SDK 					20.0.0.233 and earlier 		Windows, Macintosh, Android and iOS

AIR SDK & Compiler 				20.0.0.233 and earlier 		Windows, Macintosh, Android and iOS

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installation to the newest version:

Product 					Updated Versions 	Platform 				Priority rating Availability

Adobe Flash Player Desktop Runtime		20.0.0.306	 	Windows and Macintosh	1		Flash Player Download Center
														Flash Player Distribution

Adobe Flash Player Extended Support Release 	18.0.0.329 		Windows and Macintosh	1 		Extended Support

Adobe Flash Player for Google Chrome 		20.0.0.306 		Windows, Macintosh, 
									Linux and ChromeOS 	1	 	Google Chrome Releases

Adobe Flash Player for Microsoft Edge and 
Internet Explorer 11 				20.0.0.306		Windows 10 		1 		Microsoft Security Advisory

Adobe Flash Player for Internet Explorer 11 	20.0.0.306 		Windows 8.1		1 		Microsoft Security Advisory

Adobe Flash Player for Linux 			11.2.202.569 		Linux 			3 		Flash Player Download Center

AIR Desktop Runtime 				20.0.0.260 		Windows and Macintosh 	3 		AIR Download Center

AIR SDK 					20.0.0.260 		Windows, Macintosh, 
									Android and iOS 	3 		AIR SDK Download

AIR SDK & Compiler 				20.0.0.260 		Windows, Macintosh, 
									Android and iOS 	3 		AIR SDK Download

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows 
and Macintosh update to 20.0.0.306 via the update mechanism within the product
when prompted [1], or by visiting the Adobe Flash Player Download Center.

Adobe recommends users of the Adobe Flash Player Extended Support Release 
should update to version 18.0.0.329 by visiting 
http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

Adobe recommends users of Adobe Flash Player for Linux update to Adobe Flash 
Player 11.2.202.569 by visiting the Adobe Flash Player Download Center.

Adobe Flash Player installed with Google Chrome will be automatically updated
to the latest Google Chrome version, which will include Adobe Flash Player 
20.0.0.306 for Windows, Macintosh, Linux and Chrome OS.

Adobe Flash Player installed with Microsoft Edge and Internet Explorer for 
Windows 10 will be automatically updated to the latest version, which will 
include Adobe Flash Player 20.0.0.306.

Adobe Flash Player installed with Internet Explorer for Windows 8.x will be 
automatically updated to the latest version, which will include Adobe Flash 
Player 20.0.0.306.

Adobe recommends users of the AIR desktop runtime, AIR SDK and AIR SDK & 
Compiler update to version 20.0.0.260 by visiting the AIR download center or 
the AIR developer center.

Please visit the Flash Player Help page for assistance in installing Flash 
Player.

[1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x
or later for Macintosh, who have selected the option to 'Allow Adobe to 
install updates' will receive the update automatically. Users who do not have
the 'Allow Adobe to install updates' option enabled can install the update via
the update mechanism within the product when prompted.

Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code 
execution (CVE-2016-0985).

These updates resolve use-after-free vulnerabilities that could lead to code 
execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, 
CVE-2016-0983, CVE-2016-0984).

These updates resolve a heap buffer overflow vulnerability that could lead to
code execution (CVE-2016-0971).

These updates resolve memory corruption vulnerabilities that could lead to 
code execution (CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, 
CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, 
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).

Acknowledgments

Anonymously reported through HPE's Zero Day Initiative (CVE-2016-0973, 
CVE-2016-0975)

Ben Hawkes, Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero 
(CVE-2016-0964, CVE-2016-0965, CVE-2016-0967, CVE-2016-0970, CVE-2016-0971, 
CVE-2016-0972)

Natalie Silvanovich of Google Project Zero (CVE-2016-0974, CVE-2016-0984, 
CVE-2016-0985)

Nicolas Joly of Microsoft Vulnerability Research (MSVR) (CVE-2016-0966)

The NSFOCUS Security Team (CVE-2016-0968, CVE-2016-0969, CVE-2016-0976, 
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979)

Wen Guanxing from Venustech ADLAB (CVE-2016-0981, CVE-2016-0982, 
CVE-2016-0983)

Yuki Chen of Qihoo 360 Vulcan Team (CVE-2016-0980)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVrqeBX6ZAP0PgtI9AQL9xQ//cN3Z7BfC3xnqcKVknfxvIkv5cVcd5+uj
peDlVKiMu+g0UUyioihVgntw3au9j0/dBM6yUnS5j3dzhrC+SiQtNmwYrgb4utYZ
pmkMSKt+5e+5mWpaE6ONqnAGZ1MB6Ojg2xOpOR2ZZjzM/6Ka50OEtj0dSFdUlliG
oi4dW0pHUWvUWjww56GaxBjIFGJ7L4vRIuBgAuOKKlZ1ZQg3jhxPetDWeSskH1F1
ByGxrtWtkfJuoqbKAawmdwy/Rc1FHM1Hu4+/0khSrSWa39T/neEAIC7yriZstcgg
fV+n1m2TNQnaudG8xohOEwhGBKva1kfff/QPP420V/9eq2i/owIRW/DnSh9iyW8w
H7EcaStk1JihPVyKPgZVfxlvEKDxxEtXZNcCw10nwZRlscNMufFlaQacrVNKvEaI
adStvJU+tcGSPz6fL96zfXQjEoVmQUatv3mzgQGjYj3gTUsAlQp1vABbSOnnEwqE
G0IcvPJZeWckS39znoSlitRqSlgG3eGasSq9RK7sZT6JolPh2b/GTcDnky3a60o/
6aCuFqUoLpfqQ7KJ6pQG4ynGAKMPv+DFraXQcwkCF23f93Z0OGeUj+IPxXhWxVXa
hYkf1MaoG2j86EGU6uFmVD8WQqfn0kJOXKu87aOcFK4ae9OvoTum4iysZ4OhB+qm
RWbizOcB6Sw=
=HW6F
-----END PGP SIGNATURE-----