Date: 14 November 2011
References: ESB-2011.1150 ESB-2011.1154 ESB-2011.1164
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1149
Security update available for Adobe Flash Player
14 November 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Adobe AIR
Publisher: Adobe
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2460 CVE-2011-2459 CVE-2011-2458
CVE-2011-2457 CVE-2011-2456 CVE-2011-2455
CVE-2011-2454 CVE-2011-2453 CVE-2011-2452
CVE-2011-2451 CVE-2011-2450 CVE-2011-2445
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb11-28.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Flash Player
Release date: November 10, 2011
Vulnerability identifier: APSB11-28
CVE number: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452,
CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456,
CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Flash Player
11.0.1.152 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 11.0.1.152 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 11.1.102.55. Users of Adobe Flash Player 11.0.1.153 and
earlier versions for Android should update to Adobe Flash Player
11.1.102.59 for Android. Users of Adobe AIR 3.0 for Windows, Macintosh,
and Android should update to Adobe AIR 3.1.0.4880.
Affected software versions
* Adobe Flash Player 11.0.1.152 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems
* Adobe Flash Player 11.0.1.153 and earlier versions for Android
* Adobe AIR 3.0 and earlier versions for Windows, Macintosh, and
Android
To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content
running in Flash Player and select "About Adobe (or Macromedia) Flash
Player" from the menu. If you use multiple browsers, perform the check
for each browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings
> Applications > Manage Applications > Adobe Flash Player x.x.
To verify the version of Adobe AIR installed on your system, follow the
instructions in the Adobe AIR TechNote.
Solution
Adobe recommends users of Adobe Flash Player 11.0.1.152 and earlier
versions for Windows, Macintosh, Linux and Solaris upgrade to the
newest version 11.1.102.55 by downloading it from the Adobe Flash
Player Download Center. Windows users and users of Adobe Flash Player
10.3.183.10 or later for Macintosh can install the update via the
update mechanism within the product when prompted.
For users who cannot update to Flash Player 11.1.102.55, Adobe has
developed a patched version of Flash Player 10, Flash Player
10.3.183.11, which can be downloaded here.
Users of Adobe Flash Player 11.0.1.153 and earlier versions for Android
should update to Adobe Flash Player 11.1.102.59 for Android by browsing
to the Android Marketplace on an Android device.
Adobe recommends users of Adobe AIR 3.0 and earlier versions for
Windows, Macintosh, and Android update to Adobe AIR 3.1.0.4880.
Severity rating
Adobe categorizes these as critical updates and recommends users
upgrade their installations to the newest versions.
Details
Critical vulnerabilities have been identified in Adobe Flash Player
11.0.1.152 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 11.0.1.152 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 11.1.102.55. Users of Adobe Flash Player 11.0.1.153 and
earlier versions for Android should update to Adobe Flash Player
11.1.102.59 for Android. Users of Adobe AIR 3.0 for Windows, Macintosh,
and Android should update to Adobe AIR 3.1.0.4880.
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2445).
This update resolves a heap corruption vulnerability that could lead to
code execution (CVE-2011-2450).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2451).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2452).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2453).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2454).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2455).
This update resolves a buffer overflow vulnerability that could lead to
code execution (CVE-2011-2456).
This update resolves a stack overflow vulnerability that could lead to
code execution (CVE-2011-2457).
This update resolves a vulnerability that could lead to a cross-domain
policy bypass (Internet Explorer-only) (CVE-2011-2458).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2459).
This update resolves a memory corruption vulnerability that could lead
to code execution (CVE-2011-2460).
Affected software
Recommended player update
Availability
Flash Player 11.0.1.152 and earlier
11.1.102.55
Flash Player Download Center
Flash Player 11.0.1.152 and earlier -
network distribution
11.1.102.55
Flash Player Licensing
Flash Player 11.0.1.153 and earlier
for Android
11.1.102.59
Android Marketplace
(browse to on an Android device)
Flash Player 11.0.1.152 and earlier
for Chrome users
11.1.102.55
Google Chrome Releases
AIR 3.0
3.1.0.4880
AIR Download Center
AIR 3.0 for Android
3.1.0.4880
Android Marketplace
(browse to on an Android device)
Acknowledgments
Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:
* Tavis Ormandy of the Google Security Team (CVE-2011-2450,
CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454,
CVE-2011-2457, CVE-2011-2460)
* An anonymous reporter through iDefense's Vulnerability
Contributor Program (CVE-2011-2459)
* lakehu of Tencent Security Center (CVE-2011-2458)
* Bo Qu of Palo Alto Networks (CVE-2011-2455)
* Ben Hawkes of the Google Security Team (CVE-2011-2456)
* Ivan Golenkov and Alexander Gostev of Kaspersky Lab
(CVE-2011-2445)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTsCkr+4yVqjM2NGpAQKAKQ//Yt7BryLMTIF88L1Xtdzh+uD3nSLAsmie
4dPlv/9sa6fZ3LD32xO7NP1V1TInWtcHYvM40hdMiDPbmM+fUsDN5O+1nH7agvp+
bZZDRLa9FLqv6V0lICP3B7c6svAKt9grx9rcY0nuP+oGpzrpCs5+6lQJBZYo0Dz0
Erf5rKi8wr5fyFaMcmVbYHH56pSQMHeCI5VU/eJfudPy98GMYRFavKCBtMXYwlb6
tW8MLcWbpfN7wxPobTjHeUYFLLLygbAW0043pQJk2tzVjvvGJj0tAFc9+ri/XJ2I
/5AJPnkqBnlJWoPwec41Huj/SDOFlbtXXy9lYFipI246xK69yC/uL9CcoQ/Dzi5R
Hx7QhDOERTk/2yMJiZmlx1uGaYus0FKqzj4uAKLr4tBWbA0aX6GJY6l95XaabGGM
FSSY1liUu7j7dc7OQfK4DO2GcTTZphmUbhD7LCnbmToW+wgPPuCtaKUOw4DN03/Z
z/nzxvVX2XdkFgnKerGAqnZ5n8JlH3cAMJPtjKvVlLaZoeSLQaoqvvhvN29glfLn
PdlDaW2tgp8nAuYyDHRvlvRsxiZ1XFwRMKjDlQEOLg9FvuOyPTJjeR7f/Y/CIYYj
lnNNUqukk+pPh1XQhUVqAizppg1Vn/bvkM6dVu3RU5hOS9BLsdQ+oSzmiLNmCzCs
hNSg5TIzlX0=
=V4eL
-----END PGP SIGNATURE-----
|