-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2012.0800.2
             Security updates available for Adobe Flash Player
                             25 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   Mac OS X
                   Linux variants
Impact/Access:     Denial of Service               -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-4168 CVE-2012-4167 CVE-2012-4166
                   CVE-2012-4165 CVE-2012-4164 CVE-2012-4163

Original Bulletin: 
   http://www.adobe.com/support/security/bulletins/apsb12-19.html

Revision History:  September 25 2012: Added information regarding CVE-2012-4171 
                                      and CVE-2012-5054
                   August    22 2012: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security updates available for Adobe Flash Player

Release date: August 21, 2012

Last updated: September 24, 2012

Vulnerability identifier: APSB12-19

Priority: See table below

CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, 
CVE-2012-4167, CVE-2012-4168, CVE-2012-4171, CVE-2012-5054

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 11.3.300.271 and 
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 
11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 
11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates 
address vulnerabilities that could cause a crash and potentially allow an 
attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest 
versions:

    Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows 
    and Macintosh should update to Adobe Flash Player 11.4.402.265.

    Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux 
    should update to Adobe Flash Player 11.2.202.238.

    Flash Player installed with Google Chrome will automatically be updated to 
    the latest Google Chrome version, which will include Adobe Flash Player 
    11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for 
    Macintosh.

    Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x 
    devices should update to Adobe Flash Player 11.1.115.17.

    Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 
    3.x and earlier versions should update to Flash Player 11.1.111.16.

    Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to 
    Adobe AIR 3.4.0.2540.

    Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update 
    to the Adobe AIR 3.4.0.2540 SDK.

    Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should 
    update to the Adobe AIR 3.4.0.2540.

Affected software versions

    Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh 
      and Linux operating systems
    Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
    Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
    Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
    Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
    Adobe AIR 3.3.0.3650 and earlier versions for Android

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player 
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use
multiple browsers, perform the check for each browser you have installed on 
your system.

To verify the version of Adobe Flash Player for Android, go to Settings > 
Applications > Manage Applications > Adobe Flash Player x.x.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.
Solution

Adobe recommends users update their software installations by following the 
instructions below:

    Adobe recommends users of Adobe Flash Player 11.3.300.271 and earlier 
    versions for Windows and Macintosh should update to the newest version 
    11.4.402.265 by downloading it from the Adobe Flash Player Download Center. 
    Windows users and users of Adobe Flash Player 10.3.x or later for Macintosh 
    can also install the update via the update mechanism within the product 
    when prompted.

    Adobe recommends users of Adobe Flash Player 11.2.202.236 and earlier 
    versions for Linux should update to Adobe Flash Player 11.2.202.238 by 
    downloading it from the Adobe Flash Player Download Center.

    For users who cannot update to Flash Player 11.4.402.265, Adobe has 
    developed a patched version of Flash Player 10.x, Flash Player 10.3.183.23,
    which can be downloaded here.

    Flash Player installed with Google Chrome will automatically be updated to 
    the latest Google Chrome version, which will include Adobe Flash Player 
    11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for 
    Macintosh.

    Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x 
    devices should update to Adobe Flash Player 11.1.115.17 by updating to 
    devices that already have Flash Player installed prior to August 15, 2012.

    Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 
    3.x and earlier versions should update to Flash Player 11.1.111.16 by 
    updating to devices that already have Flash Player installed prior to August 
    15, 2012.

    Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to 
    Adobe AIR 3.4.0.2540.

    Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update
    to the Adobe AIR 3.4.0.2540 SDK.

    Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should 
    update to Adobe AIR 3.4.0.2540 by browsing to Google Play or the Amazon 
    Marketplace on an Android device.

Priority and Severity ratings

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installations to the newest versions:

Product			Updated Version		Platform	Priority Rating
Adobe Flash Player 	11.4.402.265 		Windows 		1
		  	11.4.402.265 		Macintosh 		2
		  	11.2.202.238 		Linux 			3
		  	11.1.115.17 		Android 4.x 		3
		  	11.1.111.16 		Android 3.x and 2.x	3
Adobe AIR 		3.4.0.2540 		Windows and Macintosh 	3
		  	3.4.0.2540 		SDK (including AIR for  3
						iOS) and Android 	

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player 11.3.300.271 and 
earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 
11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 
11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates 
address vulnerabilities that could cause a crash and potentially allow an 
attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest 
versions:

    Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows 
    and Macintosh should update to Adobe Flash Player 11.4.402.265.

    Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux 
    should update to Adobe Flash Player 11.2.202.238.

    Flash Player installed with Google Chrome will automatically be updated to 
    the latest Google Chrome version, which will include Adobe Flash Player 
    11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for 
    Macintosh

    Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x 
    devices should update to Adobe Flash Player 11.1.115.17.

    Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 
    3.x and earlier versions should update to Flash Player 11.1.111.16.

    Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to 
    Adobe AIR 3.4.0.2540.

    Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update 
    to the Adobe AIR 3.4.0.2540 SDK.

    Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should 
    update to the Adobe AIR 3.4.0.2540.

These updates resolve memory corruption vulnerabilities that could lead to code 
execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).

These updates resolve an integer overflow vulnerability that could lead to code 
execution (CVE-2012-4167).

These updates resolve a cross-domain information leak vulnerability 
(CVE-2012-4168).

These updates resolve a crash caused by a logic error involving multiple 
dialogs in Firefox (CVE-2012-4171).

These updates resolve a Matrix3D integer overflow vulnerability that could 
lead to code execution (CVE-2012-5054).

Affected software		Recommended player update	Availability

Flash Player 11.3.300.271 and 	11.4.402.265			Flash Player Download Center
earlier for Windows and 
Macintosh
	
Flash Player 11.3.300.271 and 	11.4.402.265			Flash Player Licensing
earlier - network distribution
	
Flash Player 11.2.202.236 and 	11.2.202.238			Flash Player Download Center
earlier for Linux
	
Flash Player 11.1.115.11 and 	11.1.115.17			Update to devices that already have Flash Player installed prior to August 15, 2012
earlier for Android 4.x

Flash Player 11.1.111.10 and 	11.1.111.16			Update to devices that already have Flash Player installed prior to August 15, 2012
earlier for Android 3.x and 
2.x
	
Flash Player 11.3.300.271 and 	11.3.31.230			Google Chrome Releases
earlier for Chrome users
(Windows and Linux)
	
Flash Player 11.3.300.271 and 	11.4.402.265			Google Chrome Releases
earlier for Chrome users
(Macintosh)

AIR 3.3.0.3670 and earlier for 	3.4.0.2540			AIR Download Center
Windows and Macintosh
	
AIR 3.3.0.3690 SDK (includes 	3.4.0.2540			AIR SDK Download
AIR for iOS) and earlier
	
AIR 3.3.0.3650 and earlier 	3.4.0.2540			Google Play
for Android							(browse to on an Android device)
								Amazon Marketplace
								(browse to on an Android device)

Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers:

    Xu Liu of Fortinet's FortiGuard Labs (CVE-2012-4163)
    Will Dormann of CERT (CVE-2012-4164)
    Honggang Ren of Fortinet's FortiGuard Labs (CVE-2012-4165, CVE-2012-4166)
    Alexander Gavrun through iDefense's Vulnerability Contributor Program 
    (CVE-2012-4167)
    Claudio Santambrogio of Opera Software ASA (CVE-2012-4168)
    Attila Suszter (CVE-2012-4171)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUGEwL+4yVqjM2NGpAQJs7Q/+PrrDNgBb4iBEvyX8iotXUWc3Jd07RPmU
7AflcI/uy26Ims96Z9LbQNgHsfV/Hja5Yi8p1z+irdl1SIYuSYqJCgBzdZ2wu4Od
4iniT6+g2F0c18lH4msyNY14tmlX3hlnQwbpBavwAQFJWl+d1oqLCg2IZDcFjrdT
IIAETVHjmsJ4j86VDaegp9ju2CUtEPlo+BtiChxrzBh3lfNmmIJeDdYG+ApDU+/s
uwE9/0AZrrGUNysuCXLnBzsG8stlp4STdyQ3y47x7boGBssgFCjWw7VIwCEHqiHV
5E0gPyW77kDhO7axe8ERH6sRoNBn1AjGSC7zTuxKrMicbfoJVgJH9YG6ftWCHnXm
qcrhWsqCwsK+7K4nyz6Kn7nxaySR8cKry8g9G+LwiiuyVI+ujE6vuM0JyY2GtvpY
As0QBI2IG+Crn8PzIKGDu56jGDf6rm1ZpITteYgp7PR/8drNxA3HY/VDPrjZYlPd
Zc6krMt0O8bOAg3A8YDKekOndVNAcfZpBkfJnhIUN3hYNt4AF5VsAidNgpkK4OQ7
pVNY0A/z1n15w0/5Jmq14gNGBP+kAJm2sMzQOYQowsfWmjVSYIC82jN4yqoqKUre
bYeL2OCZ0Ff8kxFBIj02aNgmPVW2eH8a7KVbumdlOB5cFkCbv5VLmwNZ5+FpEdek
8gI/KjbLhJ8=
=pMYz
-----END PGP SIGNATURE-----