-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0728
             Security updates available for Adobe Flash Player
                                14 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   OS X
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0520 CVE-2014-0519 CVE-2014-0518
                   CVE-2014-0517 CVE-2014-0516 CVE-2014-0510

Original Bulletin: 
   http://helpx.adobe.com/security/products/flash-player/apsb14-14.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: May 13, 2014

Vulnerability identifier: APSB14-14

Priority: See table below

CVE number: CVE-2014-0510, CVE-2014-0516, CVE-2014-0517, CVE-2014-0518, 
CVE-2014-0519, CVE-2014-0520

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 13.0.0.206 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system. 
Adobe recommends users update their product installations to the latest 
versions:

- - Users of Adobe Flash Player 13.0.0.206 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 13.0.0.214.
- - Users of Adobe Flash Player 11.2.202.356 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.359.
- - Adobe Flash Player 13.0.0.206 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 13.0.0.214 for Windows, Macintosh and Linux.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.0.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.1.
- - Users of the Adobe AIR 13.0.0.83 SDK and earlier versions should update to 
the Adobe AIR 13.0.0.111 SDK.
- - Users of the Adobe AIR 13.0.0.83 SDK & Compiler and earlier versions should 
update to the Adobe AIR 13.0.0.111 SDK & Compiler.

Affected software versions
- - Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh
- - Adobe Flash Player 11.2.202.356 and earlier versions for Linux
- - Adobe AIR 13.0.0.83 SDK and earlier versions
- - Adobe AIR 13.0.0.83 SDK & Compiler and earlier versions

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player 
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe recommends users update their software installations by following the 
instructions below:

- - Adobe recommends users of Adobe Flash Player 13.0.0.206 and earlier versions 
for Windows and Macintosh update to the newest version 13.0.0.214 by 
downloading it from the Adobe Flash Player Download Center, or via the update 
mechanism within the product when prompted.
- - Adobe recommends users of Adobe Flash Player 11.2.202.356 and earlier 
versions for Linux update to Adobe Flash Player 11.2.202.359 by downloading it 
from the Adobe Flash Player Download Center.
- - Adobe Flash Player 13.0.0.206 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 13.0.0.214 for Windows, Macintosh and Linux.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.0.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.1.
- - Users of the Adobe AIR 13.0.0.83 SDK should update to the Adobe AIR 
13.0.0.111 SDK.
- - Users of the Adobe AIR 13.0.0.83 SDK & Compiler and earlier versions should 
update to the Adobe AIR 13.0.0.111 SDK & Compiler.

* Beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows replaces 
version 11.7 as the extended support version. Adobe recommends users upgrade 
to version 13 in order to continue to receive security updates.  See this blog 
post for further details. 
http://blogs.adobe.com/flashplayer/2014/03/upcoming-changes-to-flash-players-extended-support-release.html

Priority and severity ratings

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installation to the newest version:

Product			Updated version	Platform				Priority rating
Adobe Flash Player	13.0.0.214	Windows and Macintosh			1
 			13.0.0.214	Internet Explorer 10 for Windows 8.0	1
 			13.0.0.214	Internet Explorer 11 for Windows 8.1	1
 			13.0.0.214	Chrome for Windows, Macintosh and Linux	1
 			11.2.202.359	Linux					3
Adobe AIR SDK and 	13.0.0.111	Windows and Macintosh			3
Compiler	
Adobe AIR SDK		13.0.0.111	Windows and Macintosh			3

These updates address a critical vulnerability in the software.

Details

Adobe has released security updates for Adobe Flash Player 13.0.0.206 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system. 
Adobe recommends users update their product installations to the latest 
versions:

- - Users of Adobe Flash Player 13.0.0.206 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 13.0.0.214
- - Users of Adobe Flash Player 11.2.202.356 and earlier versions for Linux 
should update to Adobe Flash Player 11.2.202.359.
- - Adobe Flash Player 13.0.0.206 installed with Google Chrome will 
automatically be updated to the latest Google Chrome version, which will 
include Adobe Flash Player 13.0.0.214 for Windows, Macintosh and Linux.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.0.
- - Adobe Flash Player 13.0.0.206 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 13.0.0.214 for Windows 8.1.
- - Users of the Adobe AIR 13.0.0.83 SDK and earlier versions should update to 
the Adobe AIR 13.0.0.111 SDK.
- - Users of the Adobe AIR 13.0.0.83 SDK & Compiler and earlier versions should 
update to the Adobe AIR 13.0.0.111 SDK & Compiler.

These updates resolve a use-after-free vulnerability that could result in 
arbitrary code execution (CVE-2014-0510).

These updates resolve a vulnerability that could be used to bypass the same 
origin policy (CVE-2014-0516).

These updates resolve security bypass vulnerabilities (CVE-2014-0517, 
CVE-2014-0518, CVE-2014-0519, CVE-2014-0520).

Affected Software	   	Recommended 	Availability
				Player Update	
Flash Player 13.0.0.206 	13.0.0.214	Flash Player Download Center
and earlier versions for 
Windows and Macintosh	 	
Flash Player 13.0.0.206 	13.0.0.214	Flash Player Licensing
and earlier versions 
(network distribution)	 	
Flash Player 11.2.202.356 	11.2.202.359	Flash Player Download Center
and earlier for Linux	 	
Flash Player 13.0.0.206 	13.0.0.214	Google Chrome Releases
and earlier for Chrome 
(Windows, Macintosh and Linux)	 	
Flash Player 13.0.0.206 	13.0.0.214	Microsoft Security Advisory
and earlier in Internet 
Explorer 10 for Windows 8.0	 	
Flash Player 13.0.0.206 	13.0.0.214	Microsoft Security Advisory
and earlier in Internet 
Explorer 11 for Windows 8.1	 	
AIR 13.0.0.83 SDK & Compiler	13.0.0.111	AIR SDK Download
AIR 13.0.0.83 SDK	 	13.0.0.111	AIR SDK Download

Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers:
- - Keen Team and Team 509 working with HP’s Zero Day Initiative (CVE-2014-0510)
- - Masato Kinugawa (CVE-2014-0516)
- - James Forshaw of Contextis (CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, 
CVE-2014-0520)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU3LPDBLndAQH1ShLAQKqghAAlERtkzNWyFKVXntERMS0Z3PjylIds7fK
a6TH8e9lX/p3tTj13aVjmPeXh700ntoSU8/+Dpul8R7Ya4oqhNmKcK+TgYArE8Rc
kRLKZgcHhR1vJ0LyW95SoA9kiKA/03FPIKYnRgu2IrZNemmo3kv59jFSA2D2G/W3
9FmY5a2PmnZoNyPnxMb3mUwxuv2E6d5iyH2Vchl3kqafhjehWAdeHnZV4e/an5nD
ZeoZpq8GqmHtjqBhccaCSwe6rzKos6tQFxvTVWJrAGw1tVwLohJlmy9oQx3d6FdY
W8e0TH6AgSYZUfAxz+wrOUa/ZlwgGy+6RNOpNh7m1Zj7XpqOnsG6USDRVx92smgD
8osWetwTcvcIBbPo1N8PccEPPKKBtYTUmhSSNJwOJsp+8125DZ431vZR2VAuEkRl
rlpSMz+YVk93XrMxxMDitVmB/Pr5rMrNUX1lsE0RYP15C79RHDYo6KYwdDFIYmNQ
8OV82fJsLDxH8mWu0o+aj1x7IrfZxHJFHJd5oxqKCq3VjPT7e5UlVl1utnu4SCkP
iLln42nYxgls6W/SoemPga+9OBKW8nICdIJ8Wa8eUTwFf4T5pUaXG87FT2V1nkqt
4UzlHBfuUlazLgRFaserBIzY/NfkPNFWgtVA49CfO3TwbQrAp0xTBmwZhB5yupAQ
kHPFDoJ9WE8=
=e+TA
-----END PGP SIGNATURE-----