Date: 22 September 2011
References: ASB-2011.0081 ESB-2011.0971 ESB-2011.0974 ESB-2011.1127
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0960
Security update available for Adobe Flash Player
22 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2444 CVE-2011-2430 CVE-2011-2429
CVE-2011-2428 CVE-2011-2427 CVE-2011-2426
Reference: ASB-2011.0081
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb11-26.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Flash Player
Release date: September 21, 2011
Vulnerability identifier: APSB11-26
CVE number: CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429,
CVE-2011-2430, CVE-2011-2444
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Flash Player
10.3.183.7 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
There are reports that one of these vulnerabilities (CVE-2011-2444) is
being exploited in the wild in active targeted attacks designed to
trick the user into clicking on a malicious link delivered in an email
message. This universal cross-site scripting issue could be used to
take actions on a user's behalf on any website or webmail provider if
the user visits a malicious website.
Adobe recommends users of Adobe Flash Player 10.3.183.7 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 10.3.183.10. Users of Adobe Flash Player for Android
10.3.186.6 and earlier versions should update to Adobe Flash Player for
Android 10.3.186.7.
Affected software versions
* Adobe Flash Player 10.3.183.7 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems
* Adobe Flash Player 10.3.186.6 and earlier versions for Android
(Note: The Authplay.dll component that ships with Adobe Reader and
Acrobat X (10.1.1) and earlier 10.x and 9.x versions for Windows and
Macintosh operating systems is not impacted by CVE-2011-2444.)
To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content
running in Flash Player and select "About Adobe (or Macromedia) Flash
Player" from the menu. If you use multiple browsers, perform the check
for each browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings
> Applications > Manage Applications > Adobe Flash Player 10.x.
Solution
Adobe recommends all users of Adobe Flash Player 10.3.183.7 and earlier
versions for Windows, Macintosh, Linux and Solaris upgrade to the
newest version 10.3.183.10 by downloading it from the Adobe Flash
Player Download Center. Windows users and users of Adobe Flash Player
10.3.183.7 or later for Macintosh can install the update via the
auto-update mechanism within the product when prompted.
Users of Adobe Flash Player for Android 10.3.186.6 and earlier versions
should update to Adobe Flash Player for Android 10.3.186.7 by browsing
to the Android Marketplace on an Android phone.
Severity rating
Adobe categorizes this as a critical update and recommends users
update their installations to the newest versions.
Details
Critical vulnerabilities have been identified in Adobe Flash Player
10.3.183.7 and earlier versions for Windows, Macintosh, Linux and
Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.3.183.7 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe
Flash Player 10.3.183.10. Users of Adobe Flash Player for Android
10.3.186.6 and earlier versions should update to Adobe Flash Player for
Android 10.3.186.7.
This update resolves a universal cross-site scripting issue that could
be used to take actions on a user's behalf on any website or webmail
provider if the user visits a malicious website (CVE-2011-2444).
Note: There are reports that this issue is being exploited in the wild
in active targeted attacks designed to trick the user into clicking on
a malicious link delivered in an email message.
This update resolves an AVM stack overflow issue that may allow for
remote code execution. (CVE-2011-2426).
This update resolves an AVM stack overflow issue that may lead to
denial of service and code execution. (CVE-2011-2427).
This update resolves a logic error issue which causes a browser crash
and may lead to code execution. (CVE-2011- 2428).
This update resolves a Flash Player security control bypass which
could allow information disclosure. (CVE-2011-2429).
This update resolves a streaming media logic error vulnerability which
could lead to code execution. (CVE-2011-2430).
Affected software
Recommended player update
Availability
Flash Player 10.3.183.7 and earlier
10.3.183.10
Flash Player Download Center
Flash Player 10.3.183.7 and earlier - network distribution
10.3.183.10
Flash Player Licensing
Flash Player 10.3.186.6 and earlier for Android
10.3.186.7
Android Marketplace
(browse to on an Android phone)
Flash Player 10.3.183.7 and earlier for Chrome users
10.3.183.10
Google Chrome Releases
Acknowledgments
Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:
* Bing Liu of Fortinet's FortiGuard Labs (CVE-2011-2426)
* Yang Dingning of NCNIPC, Graduate University of Chinese
Academy of Sciences (CVE-2011-2427)
* Huzaifa Sidhpurwala of Red Hat Security Response Team
(CVE-2011-2428).
* Neil Bergman of Cigital (CVE-2011-2429).
* Zrong of zengrong.net (CVE-2011-2430).
* Google (CVE-2011-2444)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTnqL5+4yVqjM2NGpAQItwhAAmIstuM8gZu3ZbblGKGB7fM4vZZy5nx2Y
I0wBFV3UDvdR7IGdA4DUolTJ84rykX62CI3XQ+fKV5krM/gshx67xY7FtmQ8xRe9
lWSeOAyW+UqNg8opTjUVltJsf773OXhJkRHLgODt886hvmoSs60PWnOTbUyk39TG
GRawTcwlMCKPRjexUwqNYq1kgKnLeUlodiJLzFNV0aWAVjNpK2lM4YnrDxqJsBwS
wNChuck0kp58AGKWqlCKf80fqiyhgZq5EZMpOgRrSkms275UR0P40t7+74K7t8+/
OJQsNYu8UMMgw0VZ6t5EpUSAfY3vNhtfUlFz6S91dmr402lgHT640AmIrh5RrT8o
BpS8X3bUnTfkAxnDfuO1zpFdi/5Z8GvMaIMnxZsuZEWm/b84frkVHBNT3svARGUO
+xpcnhiWnZfSPZQJCslx6bNi05Yjcecec/8bqtEo6xOpi+tWfNsj5YopHHV6uMZk
6yupcUEcbz5xugQCGzeXNrlQ6xgZEFwInuTmPQpAE/eO0JNfyFQnEl6NX4fVY91m
7K2mtPViv2b1hAqNw3bMuCjHAP2odF9trTi4n8IGsSgtiO8vSd7/c6TGFvWzSnb4
JzXEmP8iRZf9k6hnQkHm3JUKy6Bh1a0Ms9vNEZ850YR8GA9sYPJin39/C9qWkR2j
gXMXL9F3w/Y=
=ZtA0
-----END PGP SIGNATURE-----
|