copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2338 - ALERT [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilities

Date: 10 December 2014
References: ASB-2014.0140  ESB-2014.2347  ESB-2014.2352  ESB-2014.2394  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2338
             Security updates available for Adobe Flash Player
                             10 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   Linux variants
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9164 CVE-2014-9163 CVE-2014-9162
                   CVE-2014-8443 CVE-2014-0587 CVE-2014-0580

Original Bulletin: 
   http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

Comment: Adobe is aware of reports that an exploit for CVE-2014-9163 exists 
         in the wild.

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: December 9, 2014

Vulnerability identifier: APSB14-27

Priority: See table below

CVE number: CVE-2014-0580, CVE-2014-0587, CVE-2014-8443, CVE-2014-9162,
CVE-2014-9163, CVE-2014-9164

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player for Windows,
Macintosh and Linux.  These updates address vulnerabilities that could
potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that an exploit for CVE-2014-9163 exists in
the wild, and recommends users update their product installations to the
latest versions:

    Users of the Adobe Flash Player desktop runtime for Windows and
    Macintosh should update to Adobe Flash Player 16.0.0.235.

    Users of the Adobe Flash Player Extended Support Release should update
    to Adobe Flash Player 13.0.0.259.

    Users of Adobe Flash Player for Linux should update to Adobe Flash
    Player 11.2.202.425.

    Adobe Flash Player installed with Google Chrome, as well as Internet
    Explorer on Windows 8.x, will automatically update to the current
    version.

Note: Users who have been updated to version 15.0.0.246 are not affected
by CVE-2014-9163.

Affected software versions

    Adobe Flash Player 15.0.0.242 and earlier versions

    Adobe Flash Player 13.0.0.258 and earlier 13.x versions

    Adobe Flash Player 11.2.202.424 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content running
in Flash Player and select "About Adobe (or Macromedia) Flash Player"
from the menu. If you use multiple browsers, perform the check for each
browser you have installed on your system.
Solution

Adobe recommends users update their software installations by following
the instructions below:

    Adobe recommends users of the Adobe Flash Player desktop runtime
    for Windows and Macintosh update to Adobe Flash Player 16.0.0.235 by
    visiting the Adobe Flash Player Download Center, or via the update 
    mechanism within the product when prompted.

    Adobe recommends users of the Adobe Flash Player Extended
    Support Release should update to version 13.0.0.259 by visiting
    http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

    Adobe recommends users of Adobe Flash Player for Linux update to
    Adobe Flash Player 11.2.202.425 by visiting the Adobe Flash Player
    Download Center.

    Adobe Flash Player installed with Google Chrome will be automatically
    updated to the latest Google Chrome version, which will include Adobe
    Flash Player 16.0.0.235.

    Adobe Flash Player installed with Internet Explorer for Windows 8.x
    will be automatically updated to the latest version, which will include
    Adobe Flash Player 16.0.0.235.

Priority and severity ratings

Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:

Product			Affected versions	Platform	Priority rating

Adobe Flash Player 	15.0.0.239 and 		Windows and 	1
Desktop Runtime		earlier			Macintosh

	

Adobe Flash Player 	13.0.0.258 and 		Windows and	1
Extended Support 	earlier			Macintosh
Release

Adobe Flash Player for 	15.0.0.239 and		Windows, 	1
Google Chrome		earlier (Windows)	Macintosh and 
			15.0.0.242 and 		Linux
			earlier (Macintosh)

Adobe Flash Player for 	15.0.0.239 and 		Windows 8.0 and	1
Internet Explorer 10 	earlier			8.1
and Internet Explorer 
11

Adobe Flash Player	11.2.202.424 and 	Linux		3
			earlier

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player for Windows,
Macintosh and Linux.  These updates address vulnerabilities that could
potentially allow an attacker to take control of the affected system. Adobe
recommends users update their product installations to the latest versions:

    Users of the Adobe Flash Player desktop runtime for Windows and
    Macintosh should update to Adobe Flash Player 16.0.0.235.

    Users of the Adobe Flash Player Extended Support Release should update
    to Adobe Flash Player 13.0.0.259.

    Users of Adobe Flash Player for Linux should update to Adobe Flash
    Player 11.2.202.425.

    Adobe Flash Player installed with Google Chrome, as well as Internet
    Explorer on Windows 8.x, will automatically update to the current
    version.

These updates resolve memory corruption vulnerabilities that could lead
to code execution (CVE-2014-0587, CVE-2014-9164).

These updates resolve a use-after-free vulnerability that could lead to
code execution (CVE-2014-8443).

These updates resolve a stack-based buffer overflow vulnerability that
could lead to code execution (CVE-2014-9163).

These updates resolve an information disclosure vulnerability
(CVE-2014-9162).

These updates resolve a vulnerability that could be exploited to circumvent
the same-origin policy (CVE-2014-0580).

Affected Software	Recommended Player Update	Availability

Flash Player Desktop 	16.0.0.235			Flash Player Download 
Runtime							Center
							Flash Player 
							Distribution

Flash Player Extended 	13.0.0.259			Extended Support
Support Release


Flash Player for Linux	11.2.202.425			Flash Player Download 
							Center

Flash Player for Google 16.0.0.235			Google Chrome Releases
Chrome

Flash Player for 	16.0.0.235			Microsoft Security 
Internet Explorer 10 					Advisory
and Internet Explorer 
11

Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers:

    bilou working with HP's Zero Day Initiative (CVE-2014-9163)

    Fermin J. Serna, Mateusz Jurczyk and Ben Hawkes of Google Security Team
    (CVE-2014-0587)

    Haifei Li of McAfee Labs IPS Team (CVE-2014-8443)

    Tavis Ormandy and Chris Evans of Google Project Zero (CVE-2014-9164)

    Toshiharu Sugiyama of DeNA Co., Ltd. (CVE-2014-0580)

    Wen Guanxing from Venustech ADLAB working with HP's Zero Day Initiative
    (CVE-2014-9162)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIeEXRLndAQH1ShLAQL1+w/8Cl3QVj8it2y+nTy9Kp3SwAGf1odMDlFS
l1ik2+Rfvp/GEWPlky7gbj7CkoEyhJo+L2TSjvbHM+VZJsMgiHyC++mXtbhu0LHQ
6Q4FUhGNVe3/axpDw/sfiyKmR06mGlWsyC0NluF4R0pifsvDBfUIG1wVDQkxpNa7
Litom6hw6IXRzOfGtVszT3t21n3o2HK/G6KVaGHTegff7GxtCoEPA2x3KZDw54qH
xE9fkPBPy9CZ3HZ579UQ760x8diwwsrzcnNJ09vsa0ThI12GvLFkCzCk6OwawS8z
dfOsGYFQ1JDlO2s3odRW9jPBsii12A32V1OwRPTWIiqxJ4rZr7B2m4D3x058xMMd
d9HhKegc69z5WB7+USzPRz6hYygDHmHdDxVrVf1pdStpAHWb+XU1QpqMpun2MrZX
o291a1jgDoVQB+vM66aAm57LIALulpxvLTtxlJapWvASfNzhm1gtCHJquCWkdsbA
GNQY4WS/WN8G7ySYccfMU39901/i5CmrH+JTbpX7zCyMP+TcDiRyAGfp0qxVgcKu
r99TnvsguG8z1ZtHE7rO6yRKm7sc7cTxrJ0kw2oaQnkFh9zG5RMDP7Oq3mxxNI77
hAhlWkW7F9M6N3I1kWkwVjtzgk0/a1NwI8oaJWMWbUkP7ImxVzOw8hUpnXQJ10Sr
sRIuv9JX/xM=
=ThpQ
-----END PGP SIGNATURE-----