-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0052
             Security updates available for Adobe Flash Player
                              15 January 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
                   Adobe AIR
Publisher:         Adobe
Operating System:  Windows
                   OS X
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0492 CVE-2014-0491 

Original Bulletin: 
   http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: January 14, 2014

Vulnerability identifier: APSB14-02

Priority: See table below

CVE number: CVE-2014-0491, CVE-2014-0492

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 11.9.900.170 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.332
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system. 
Adobe recommends users update their product installations to the latest 
versions:

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for Windows
Internet Explorer should update to Adobe Flash Player 12.0.0.38.

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for NPAPI 
plugin-based browsers on Windows should update to Adobe Flash Player 12.0.0.43

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for 
Macintosh should update to Adobe Flash Player 12.0.0.38.

* Users of Adobe Flash Player 11.2.202.332 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.335.

* Adobe Flash Player 11.9.900.170 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 12.0.0.41 for Windows, Macintosh and Linux.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 10 will
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.0.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 11 will
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.1.

* Users of Adobe AIR 3.9.0.1380 and earlier versions for Windows and 
Macintosh should update to Adobe AIR 4.0.0.1390.

* Users of Adobe AIR 3.9.0.1380 and earlier versions for Android should 
update to Adobe AIR 4.0.0.1390.

* Users of the Adobe AIR 3.9.0.1380 SDK and earlier versions should update
to the Adobe AIR 4.0.0.1390 SDK.

* Users of the Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions 
should update to the Adobe AIR 4.0.0.1390 SDK & Compiler.

Affected software versions

* Adobe Flash Player 11.9.900.170 and earlier versions for Windows and 
Macintosh

* Adobe Flash Player 11.2.202.332 and earlier versions for Linux

* Adobe AIR 3.9.0.1380 and earlier versions for Windows and Macintosh

* Adobe AIR 3.9.0.1380 and earlier versions for Android

* Adobe AIR 3.9.0.1380 SDK and earlier versions

* Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

To verify the version of Adobe Flash Player for Android, go to Settings > 
Applications > Manage Applications > Adobe Flash Player x.x.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe recommends users update their software installations by following the 
instructions below:

* Adobe recommends users of Adobe Flash Player 11.9.900.170 and earlier 
versions for Windows Internet Explorer update to the newest version 12.0.0.38
by downloading it from the Adobe Flash Player Download Center, or via the 
update mechanism within the product when prompted.

* Adobe recommends users of Adobe Flash Player 11.9.900.170 and earlier 
versions for Macintosh update to the newest version 12.0.0.38 by downloading 
it from the Adobe Flash Player Download Center, or via the update mechanism 
within the product when prompted.

* Adobe recommends users of Adobe Flash Player 11.9.900.170 and earlier 
versions for NPAPI plugin-based browsers on Windows update to the newest 
version 12.0.0.43 by downloading it from the Adobe Flash Player Download 
Center, or via the update mechanism within the product when prompted.

* Adobe recommends users of Adobe Flash Player 11.2.202.332 and earlier 
versions for Linux update to Adobe Flash Player 11.2.202.335 by downloading it
from the Adobe Flash Player Download Center.

* For users of Flash Player 11.7.700.257 and earlier versions for Windows 
and Macintosh, who cannot update to Flash Player 12.0.0.38, Adobe has made 
available the update Flash Player 11.7.700.260, which can be downloaded here.

* Adobe Flash Player 11.9.900.170 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 12.0.0.41 for Windows, Macintosh and Linux.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 10 will
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.0.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 11 will
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.1.

* Users of Adobe AIR 3.9.0.1380 and earlier versions for Windows and 
Macintosh should update to Adobe AIR 4.0.0.1390 by downloading it from the 
Adobe AIR Download Center.

* Users of the Adobe AIR 3.9.0.1380 SDK should update to the Adobe AIR 
4.0.0.1390 SDK by downloading it from the Adobe AIR SDK Download Center.

* Users of the Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions 
should update to the Adobe AIR 4.0.0.1390 SDK & Compiler by downloading it 
from the Adobe AIR SDK Download Center.

* Users of the Adobe AIR 3.9.0.1380 and earlier versions for Android should
update to Adobe AIR 4.0.0.1390 by browsing to Google play from an Android 
device.

Priority and severity ratings

Adobe categorizes this update with the following priority rating and 
recommends users update their installation to the newest version:

Product 		Updated version	Platform 			Priority rating

Adobe Flash Player 	12.0.0.38	Windows (Internet Explorer)	1
		  	12.0.0.38	Macintosh 			1
		  	12.0.0.41 	Windows, Macintosh and Linux
					(Chrome) 			1
		  	12.0.0.43 	NPAPI plugin-based browsers 
					on Windows 			1
		 	11.7.700.260 	Windows & Macintosh 		1
		  	11.2.202.335 	Linux 				3
Adobe AIR 		4.0.0.1390 	Windows, Macintosh, Android, 
					SDK and SDK & Compiler 		3

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player 11.9.900.170 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.332
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest 
versions:

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for Windows
Internet Explorer should update to Adobe Flash Player 12.0.0.38.

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for NPAPI 
plugin-based browsers on Windows should update to Adobe Flash Player 12.0.0.43

* Users of Adobe Flash Player 11.9.900.170 and earlier versions for 
Macintosh should update to Adobe Flash Player 12.0.0.38.

* Users of Adobe Flash Player 11.2.202.332 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.335.

* Adobe Flash Player 11.9.900.170 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 12.0.0.41 for Windows, Macintosh and Linux.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 10 will
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.0.

* Adobe Flash Player 11.9.900.170 installed with Internet Explorer 11 will
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.38 for Windows 8.1.

* Users of Adobe AIR 3.9.0.1380 and earlier versions for Windows and 
Macintosh should update to Adobe AIR 4.0.0.1390.

* Users of Adobe AIR 3.9.0.1380 and earlier versions for Android should 
update to Adobe AIR 4.0.0.1390.

* Users of the Adobe AIR 3.9.0.1380 SDK and earlier versions should update
to the Adobe AIR 4.0.0.1390 SDK.

* Users of the Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions 
should update to the Adobe AIR 4.0.0.1390 SDK & Compiler.

These updates resolve a vulnerability that could be used to bypass Flash 
Player security protections (CVE-2014-0491).

These updates resolve an address leak vulnerability that could be used to 
defeat memory address layout randomization (CVE-2014-0492).

Affected Software 				Recommended Player Update 	Availability

Flash Player 11.9.900.170 and earlier versions 
for Windows (Internet Explorer)		 	12.0.0.38 			Flash Player Download Center

Flash Player 11.9.900.170 and earlier versions 
for Macintosh 					12.0.0.38 			Flash Player Download Center

Flash Player 11.9.900.170 and earlier versions 
(network distribution) 				12.0.0.38 			Flash Player Licensing

Flash Player 11.9.900.170 and earlier versions 
for NPAPI plugin-based browsers on Windows 	12.0.0.43 			Flash Player Download Center

Flash Player 11.2.202.332 and earlier for 
Linux 						11.2.202.335 			Flash Player Download Center

Flash Player 11.9.900.170 and earlier for 
Windows, Macintosh and Linux (Chrome) 		12.0.0.41 			Google Chrome Releases

Flash Player 11.9.900.170 and earlier in 
Internet Explorer 10 for Windows 8.0		12.0.0.38 			Microsoft Security Advisory

Flash Player 11.9.900.170 and earlier in 
Internet Explorer 11 for Windows 8.1		12.0.0.38 			Microsoft Security Advisory

AIR 3.9.0.1380 and earlier for Windows and 
Macintosh 					4.0.0.1390 			AIR Download Center

AIR 3.9.0.1380 SDK 				4.0.0.1390			AIR SDK Download

AIR 3.9.0.1380 SDK & Compiler 			4.0.0.1390 			AIR SDK Download

AIR 3.9.0.1380 and earlier for Android 		4.0.0.1390 			Google Play

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant
issues and for working with Adobe to help protect our customers:

Masato Kinugawa (CVE-2014-0491)

Anonymously reported via the Zero Day Initiative (CVE-2014-0492)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUtXVxxLndAQH1ShLAQKntw/+OMgj+LMihFSEAfoUMdjtI8TXDzfJEoFu
f1lXLO20nzWR8YuUkJC73jvddPMZdkxYbAM710umCRQSewR7JP3j8udD05buVrka
94UqDMFiNKGrBtMIO8LdyQVXJNSTYkBMGEn/LF8ZNSZdbJkbx+2tltN2BGPEvQVR
Fto/1rWrBGJD2hp6bOpX+4D5bN56QSKklQxN3CGfCwxH5WLCJZoDbr4rUQR18Wqr
cWT+Jyk81kXEdDdKEV04AwrRy8KYJMgl8sRpihnZKjjrZo6kqOl6wXkJAJbbvtlq
E2bBdx7TPKLjj64aWi6IW0btydNkyfYB+3B6PlXiIRlRADeJ9zWFu1cEi/8KS44U
QlwBOY5FkZK6AjgpswtgV1nUmTlO/1x42i7Kj6/zjuVbtzFNKWVI9akJ9xA3XpfC
NwbBucB3td1HqjiDqLAodrF3qekjsOym2DqxoFFpkJVMl4fDfjuXC98nQitUHsR9
Ra+nBm5s0HkUqeTmMonwTD5dAgW5vv9+G0CGzejGPlIexGp/QUNwBCp7UvouvLad
hcIiy0i1DoRSwsVunDe/EjNMamQx1TQg4B3DUMP5sG9vkj5xs5GgAP2ZMQOj15xt
AEgBjWDP2eF3u2mqYo7296/1wqIwgOo94yxqHdsNwgBMY3b4xeje7/WmveZEoy5M
rEIgSTUqTuM=
=4fkI
-----END PGP SIGNATURE-----