copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0180 - ALERT [Win][Linux][Solaris][Mac][OSX] Adobe Flash Player: Multiple vulnerabilities

Date: 16 February 2012
References: ESB-2012.0185  ESB-2012.0731  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0180
             Security update available for Adobe Flash Player
                             16 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   Mac OS X
                   Linux variants
                   Solaris
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0767 CVE-2012-0756 CVE-2012-0755
                   CVE-2012-0754 CVE-2012-0753 CVE-2012-0752
                   CVE-2012-0751  

Original Bulletin: 
   http://www.adobe.com/support/security/bulletins/apsb12-03.html

Comment: Note: There have been reports of CVE-2012-0767 being exploited in the wild
         (Internet Explorer on Windows only).

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update available for Adobe Flash Player

Release date: February 15, 2012

Vulnerability identifier: APSB12-03

CVE number: CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754,
CVE-2012-0755, CVE-2012-0756, CVE-2012-0767

Platform: All Platforms

SUMMARY

This update addresses critical vulnerabilities in Adobe Flash Player
11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe
Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These
vulnerabilities could cause a crash and potentially allow an attacker to take
control of the affected system. This update also resolves a universal
cross-site scripting vulnerability that could be used to take actions on a
user's behalf on any website or webmail provider, if the user visits a
malicious website. There are reports that this vulnerability (CVE-2012-0767) is
being exploited in the wild in active targeted attacks designed to trick the
user into clicking on a malicious link delivered in an email message (Internet
Explorer on Windows only).

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions
for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player
11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on
Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of
Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier
versions should update to Flash Player 11.1.111.6.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh,
Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe
Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

To verify the version of Adobe Flash Player installed on your system, access
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use
multiple browsers, perform the check for each browser you have installed on
your system.

To verify the version of Adobe Flash Player for Android, go to Settings >
Applications > Manage Applications > Adobe Flash Player x.x.

SOLUTION

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions
for Windows, Macintosh, Linux and Solaris update to the newest version
11.1.102.62 by downloading it from the Adobe Flash Player Download Center.
Windows users and users of Adobe Flash Player 10.3.83.14 or later for Macintosh
can install the update via the update mechanism within the product when
prompted.

For users who cannot update to Flash Player 11.1.102.62, Adobe has developed
a patched version of Flash Player 10.x, Flash Player 10.3.83.14, which can be
downloaded here.

Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.6 by browsing to the
Android Marketplace on an Android device. Users of Adobe Flash Player
11.1.111.5 and earlier versions for Android 3.x and earlier versions should
update to Flash Player 11.1.111.6 by browsing to the Android Marketplace on an
Android device.

SEVERITY RATING

Adobe categorizes these as critical updates and recommends users update their
installations to the newest versions.

DETAILS

This update addresses critical vulnerabilities in Adobe Flash Player
11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe
Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These
vulnerabilities could cause a crash and potentially allow an attacker to take
control of the affected system. This update also resolves a universal
cross-site scripting vulnerability that could be used to take actions on a
user's behalf on any website or webmail provider, if the user visits a
malicious website. There are reports that this vulnerability (CVE-2012-0767) is
being exploited in
the wild in active targeted attacks designed to trick the user into clicking on
a malicious link delivered in an email message (Internet Explorer on Windows
only).

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions
for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player
11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on
Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of
Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier
versions should update to Flash Player 11.1.111.6.

This update resolves a memory corruption vulnerability that could lead to code
execution (Windows ActiveX control only) (CVE-2012-0751).

This update resolves a type confusion memory corruption vulnerability that
could lead to code execution (CVE-2012-0752).

This update resolves an MP4 parsing memory corruption vulnerability that could
lead to code execution (CVE-2012-0753).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2012-0754).

This update resolves a security bypass vulnerability that could lead to code
execution (CVE-2012-0755).

This update resolves a security bypass vulnerability that could lead to code
execution (CVE-2012-0756).

This update resolves a universal cross-site scripting vulnerability that could
be used to take actions on a user's behalf on any website or webmail provider,
if the user visits a malicious website (CVE-2012-0767).

Affected software

Recommended player update

Availability

Flash Player 11.1.102.55 and earlier

11.1.102.62

Flash Player Download Center

Flash Player 11.1.102.55 and earlier - 
network distribution

11.1.102.62

Flash Player Licensing

Flash Player 11.1.112.61 and earlier 
for Android 4.x

11.1.115.6
Android Marketplace
(browse to on an Android device)

Flash Player 11.1.111.5 and earlier 
for Android 3.x and 2.x

11.1.111.6
Android Marketplace
(browse to on an Android device)

Flash Player 11.1.102.55 and earlier
for Chrome users

11.1.102.62
Google Chrome Releases

ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

Xu Liu of Fortinet's FortiGuard Labs (CVE-2012-0751)
Bo Qu of Palo Alto Networks (CVE-2012-0752)
Alexander Gavrun through TippingPoint's Zero Day Initiative (CVE-2012-0753,
  CVE-2012-0754)
Eduardo Vela Nava of the Google Security Team (CVE-2012-0755)
Google (CVE-2012-0767)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTzyNlu4yVqjM2NGpAQK2/g//RtboeHmHynlLKroOTgy/WPCDeUdkDQUf
btNlVI/s1+BDz0ek2++CNxBlfOVzzeXKFhwkyi92g1/xy0YNwJmI09o9yTz1Yvu9
ho67fFmAY2fIKOftcWwQMiHtiMk2T3AOGGhrYMqncCaBeKQZYjnpwCjsUjvqXBpJ
UpphonVPdTugXvVWxED7KzPxA+pxLxQVVfBVp8fY4WRqN6RchUftTbbk84LTgazW
6b8+yGhBc8w6ZXr3B7tD5oGnuTSNbnc6+g5K0ydkZxqVPfS+MfpQ/Ir0G0MDmqA+
61fcTcO9rCSvzPflJcoe5rhstyzRMr+1U3CtrHiM8xSPNoi0LRnpUCISrwbmC/CP
Yo+Uqgp6DJjMlH8/qw99vp2tnY3c2LhjnhvW8dDCcZOFMx27B6pH8OaaaGuIGUOA
ZD3rQTxn558MsG3EUKDvWBZ2PpP6x6FgWbcBCq6uHEZhNBa+lQxqrZX8/pNswtnC
/JfFjO5LIf44VhmYPswdbBml3dYe9txcz76mF0Ky0yi5+Q4esjucF148QuRA65y8
PTzJfwHE/ELXUvqVN1f8DgoUYmtzG4bk4wCr3Uo4yeW0W07hOSQTtyowkkToMSII
7VcuYS0YWrGChyLlRhzGwK7s/qzaKhGGFRt75pJSX2DOvLQ8J9tPyyW1R3OEf2O/
02wESxrlhZc=
=+cL0
-----END PGP SIGNATURE-----