-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0112
           Multiple unpatched Adobe Flash Player vulnerabilities
                             12 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Adobe Flash Player
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2011-4694 CVE-2011-4693 
Member content until: Wednesday, January 11 2012

Comment: Adobe has yet to release patches or acknowledge these vulnerabilities
         with a security bulletin. AusCERT will provide an update when patches
         are available.

OVERVIEW

        Multiple unpatched Adobe Flash Player vulnerabilities have been found.


IMPACT

        The following CVEs provide a description of the vulnerabilities:
        
        CVE-2011-4693
        "Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on
        Windows and Mac OS X allows remote attackers to execute arbitrary
        code via a crafted SWF file, as demonstrated by the first of two
        vulnerabilities exploited by the Intevydis vd_adobe_fp module in
        VulnDisco Step Ahead (SA). NOTE: as of 20111207, this disclosure has
        no actionable information. However, because the module author is a
        reliable researcher, the issue is being assigned a CVE identifier for
        tracking purposes" [1]
        
        CVE-2011-4694
        "Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on
        Windows and Mac OS X allows remote attackers to execute arbitrary code
        via a crafted SWF file, as demonstrated by the second of two
        vulnerabilities exploited by the Intevydis vd_adobe_fp module in
        VulnDisco Step Ahead (SA). NOTE: as of 20111207, this disclosure has
        no actionable information. However, because the module author is a
        reliable researcher, the issue is being assigned a CVE identifier for
        tracking purposes" [2]


MITIGATION

        The following are some mitigation options:
        1. Disable Flash in all web browsers
        2. Use plugins to enable Flash on an individual basis e.g. NoScript
        3. Avoid untrusted websites


REFERENCES

        [1] Vulnerability Summary for CVE-2011-4693
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4693

        [2] Vulnerability Summary for CVE-2011-4694
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4694

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTuWvwu4yVqjM2NGpAQJyXRAApeZc6P9iUR3EgOrCWTjYngzYc7sFkNB+
G9V+ddAHsOxkjofT1FaLWaldqM6ZzbkPbZZuMr7B4mcTrNcPGeyUEUqe80UQhei8
daCK4nXCikgwn3HvcZ1l9b3VWoB7Y14R0szkFhwqJI5dhp0RFE/2WFbzmQ5A24/B
UrZA937DQ1kiNMo9lzTHjw42mja9DLHs28if9TLyaLx5qoDelIn3vIJ6CvR8I05O
WjIX5+PtYvBfwJNvIz3eOJUWswLzTBfv9aHRVXZQCG981iPGpXIs+NF+CJtWF9Tz
5k6CuX7ZXCFAllFnzoqvr37wPL1zEGQtvwJuLsMxOeUA00GsJG6ewUeVBodkycan
sI8q56JbbgVglD6mrY+T0o79X7Y6NRllpzm5tyC65HM+IXCXlGh3xSjXlNwYg8pi
a2FZcPZtoJz94pbRC8G3Wq/MHn8nqT3SkCp4rc02X2L64M4xiXjnLK6VLb9pIMfN
DP5wPG3ucQfLaFpOi62I94jqUa32OTYKpSQlDqfd9JXwgNedeTHcKlQo8lNabMIj
BUyqyj2HyKN5tEZPZ/IjWSwhT/8GKwQ+taXJv1+ZzivI+W/FjQF6ktluvVKixXDQ
MtJgkMmqEb6tBeQUt4LmaMZFtt9eqjChqe2K3wK/i6HOByMOv5D5rzixhB1IVKWo
8PXB4S3UC10=
=Cdc8
-----END PGP SIGNATURE-----