Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0112 Multiple unpatched Adobe Flash Player vulnerabilities 12 December 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Flash Player Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2011-4694 CVE-2011-4693 Member content until: Wednesday, January 11 2012 Comment: Adobe has yet to release patches or acknowledge these vulnerabilities with a security bulletin. AusCERT will provide an update when patches are available. OVERVIEW Multiple unpatched Adobe Flash Player vulnerabilities have been found. IMPACT The following CVEs provide a description of the vulnerabilities: CVE-2011-4693 "Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows and Mac OS X allows remote attackers to execute arbitrary code via a crafted SWF file, as demonstrated by the first of two vulnerabilities exploited by the Intevydis vd_adobe_fp module in VulnDisco Step Ahead (SA). NOTE: as of 20111207, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes" [1] CVE-2011-4694 "Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows and Mac OS X allows remote attackers to execute arbitrary code via a crafted SWF file, as demonstrated by the second of two vulnerabilities exploited by the Intevydis vd_adobe_fp module in VulnDisco Step Ahead (SA). NOTE: as of 20111207, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes" [2] MITIGATION The following are some mitigation options: 1. Disable Flash in all web browsers 2. Use plugins to enable Flash on an individual basis e.g. NoScript 3. Avoid untrusted websites REFERENCES [1] Vulnerability Summary for CVE-2011-4693 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4693 [2] Vulnerability Summary for CVE-2011-4694 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4694 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTuWvwu4yVqjM2NGpAQJyXRAApeZc6P9iUR3EgOrCWTjYngzYc7sFkNB+ G9V+ddAHsOxkjofT1FaLWaldqM6ZzbkPbZZuMr7B4mcTrNcPGeyUEUqe80UQhei8 daCK4nXCikgwn3HvcZ1l9b3VWoB7Y14R0szkFhwqJI5dhp0RFE/2WFbzmQ5A24/B UrZA937DQ1kiNMo9lzTHjw42mja9DLHs28if9TLyaLx5qoDelIn3vIJ6CvR8I05O WjIX5+PtYvBfwJNvIz3eOJUWswLzTBfv9aHRVXZQCG981iPGpXIs+NF+CJtWF9Tz 5k6CuX7ZXCFAllFnzoqvr37wPL1zEGQtvwJuLsMxOeUA00GsJG6ewUeVBodkycan sI8q56JbbgVglD6mrY+T0o79X7Y6NRllpzm5tyC65HM+IXCXlGh3xSjXlNwYg8pi a2FZcPZtoJz94pbRC8G3Wq/MHn8nqT3SkCp4rc02X2L64M4xiXjnLK6VLb9pIMfN DP5wPG3ucQfLaFpOi62I94jqUa32OTYKpSQlDqfd9JXwgNedeTHcKlQo8lNabMIj BUyqyj2HyKN5tEZPZ/IjWSwhT/8GKwQ+taXJv1+ZzivI+W/FjQF6ktluvVKixXDQ MtJgkMmqEb6tBeQUt4LmaMZFtt9eqjChqe2K3wK/i6HOByMOv5D5rzixhB1IVKWo 8PXB4S3UC10= =Cdc8 -----END PGP SIGNATURE-----