-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0152
             Security updates available for Adobe Flash Player
                              5 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   Linux variants
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0497  

Original Bulletin: 
   http://helpx.adobe.com/security/products/flash-player/apsb14-04.html

Comment: Adobe is aware of reports that an exploit for this vulnerability 
         exists in the wild, and recommends users update their product 
         installations to the latest versions.

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: February 4, 2014

Vulnerability identifier: APSB14-04

Priority: See table below

CVE number: CVE-2014-0497

Platform: All Platforms Summary

Adobe has released security updates for Adobe Flash Player 12.0.0.43 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335
and earlier versions for Linux. These updates address a critical vulnerability
that could potentially allow an attacker to remotely take control of the 
affected system.

Adobe is aware of reports that an exploit for this vulnerability exists in the
wild, and recommends users update their product installations to the latest 
versions:

* Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 12.0.0.44.

* Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.336.

* Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically
be updated to the latest Google Chrome version, which will include Adobe Flash
Player 12.0.0.44 for Windows, Macintosh and Linux.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.0.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

Affected software versions

* Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh

* Adobe Flash Player 11.2.202.335 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

To verify the version of Adobe Flash Player for Android, go to Settings > 
Applications > Manage Applications > Adobe Flash Player x.x.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe recommends users update their software installations by following the 
instructions below:

* Adobe recommends users of Adobe Flash Player 12.0.0.43 and earlier versions
for Windows and Macintosh update to the newest version 12.0.0.44 by 
downloading it from the Adobe Flash Player Download Center, or via the update
mechanism within the product when prompted.

* Adobe recommends users of Adobe Flash Player 11.2.202.335 and earlier 
versions for Linux update to Adobe Flash Player 11.2.202.336 by downloading it
from the Adobe Flash Player Download Center.

* For users of Flash Player 11.7.700.260 and earlier versions for Windows and
Macintosh, who cannot update to Flash Player 12.0.0.44, Adobe has made 
available the update Flash Player 11.7.700.261, which can be downloaded here.

* Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically
be updated to the latest Google Chrome version, which will include Adobe Flash
Player 12.0.0.44 for Windows, Macintosh and Linux.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.0.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

Priority and severity ratings

Adobe categorizes this update with the following priority rating and 
recommends users update their installation to the newest version:

Product 		Updated version 	Platform 		Priority rating

Adobe Flash Player 	12.0.0.44 		Windows and Macintosh 	1 
			11.7.700.261 		Windows and Macintosh   1 
			11.2.202.336 		Linux 			3

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player 12.0.0.43 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335
and earlier versions for Linux. These updates address a critical vulnerability
that could potentially allow an attacker to remotely take control of the 
affected system. Adobe is aware of reports that an exploit for this 
vulnerability exists in the wild, and recommends users update their product 
installations to the latest versions:

* Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 12.0.0.44.

* Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.336.

* Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically
be updated to the latest Google Chrome version, which will include Adobe Flash
Player 12.0.0.44 for Windows, Macintosh and Linux.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.0.

* Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

These updates resolve an integer underflow vulnerability that could be 
exploited to execute arbitrary code on the affected system (CVE-2014-0497).

Affected Software 			Recommended Player Update 	Availability

Flash Player 12.0.0.43 and earlier 
versions for Windows and Macintosh	12.0.0.44 			Flash Player Download Center

Flash Player 12.0.0.43 and earlier 
versions (network distribution) 	12.0.0.44 			Flash Player Licensing

Flash Player 11.2.202.335 and 
earlier for Linux 			11.2.202.336 			Flash Player Download Center

Flash Player 12.0.0.41 and 
earlier for Chrome 			12.0.0.44 			Google Chrome Releases

Flash Player 12.0.0.38 and earlier 
in Internet Explorer 10 for Windows 8.0 12.0.0.44 			Microsoft Security Advisory

Flash Player 12.0.0.38 and earlier 
in Internet Explorer 11 for Windows 8.1 12.0.0.44 			Microsoft Security Advisory

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant
issues and for working with Adobe to help protect our customers:

Alexander Polyakov and Anton Ivanov of Kaspersky Labs (CVE-2014-0497)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUvGe2hLndAQH1ShLAQJ8CA//T398SmuvY4BJW8BbDK2RVmf/m/J8sbJ7
hsEupnb2lOcHDzz4sQXMUEwRVgYQdQmzcOpMFkWlqi8BiOlpkHA0kDXrxR6Y4Eux
Iv22j7xKSXRFxTNvtZ5k53gsjJsSwdGoKUwXUvhw82VEWRT766IVp6dgrhmtu417
UoVUL7PvobqpbezOOy/9+olBKg+jrPhBDuucXVHVDkW44ZJR9Ia2k8KbU2CquNuZ
9m2wmIoPRM3exECjzQbsgV3dikb8XxuWjAXTlVRVhFE7xwLG0pIBMBpH6ilzfV0g
AM0vyuDkgHokOL/K/deQOoPvzs6CxxhPAyBdvzjBcNUPfYDLdNFXFua6cAjEEbu3
wGzasYrJ4PwIGkSo11QnoD2oiDmNVTy6XlYM5QYuovIjlxmfTiiwFYNMYfzjgZ/i
3t1jIFgJXgpXaM20RJw0DCdA2pw4sFdlobop0+MPaZy5Bv52WWDqb4p9HxhGk1yF
spV21rt+cU/x6+5SGV/5q2kFUALRZuK3RkyZ7fXf/I5BiY7+3hcSVY1LNedCSOCT
XTQUk+JVPTITI5GjOnl848mZB07EP+AKyfOxFKJfsStQcJnn90I2N8iLSfxZJSwB
RKdRQ1moM9Wk9kP6rElSld/PgDzNtbqH8ZhVMYE+2FewHGsZmMttlJ7svVepm6kf
yg+zuQrwCVs=
=4K5g
-----END PGP SIGNATURE-----