-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0928
             Security updates available for Adobe Flash Player
                               11 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player & Adobe AIR
Publisher:         Adobe
Operating System:  Windows
                   OS X
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0536 CVE-2014-0535 CVE-2014-0534
                   CVE-2014-0533 CVE-2014-0532 CVE-2014-0531

Original Bulletin: 
   http://helpx.adobe.com/security/products/flash-player/apsb14-16.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: June 10, 2014

Vulnerability identifier: APSB14-16

Priority: See table below

CVE number: CVE-2014-0531, CVE-2014-0532, CVE-2014-0533, CVE-2014-0534, 
CVE-2014-0535, CVE-2014-0536

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 13.0.0.214 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system. 
Adobe recommends users update their product installations to the latest 
versions:

Users of Adobe Flash Player 13.0.0.214 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 14.0.0.125.

Users of Adobe Flash Player 11.2.202.359 and earlier versions for Linux should 
update to Adobe Flash Player 11.2.202.378.

Adobe Flash Player 13.0.0.214 installed with Google Chrome will automatically 
be updated to the latest Google Chrome version, which will include Adobe Flash
Player 14.0.0.125 for Windows, Macintosh and Linux.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which 
will include Adobe Flash Player 14.0.0.125 for Windows 8.0.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 14.0.0.125 for Windows 8.1.

Users of the Adobe AIR 13.0.0.111 SDK and earlier versions should update to 
the Adobe AIR 14.0.0.110 SDK.

Users of the Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions should 
update to the Adobe AIR 14.0.0.110 SDK & Compiler.

Users of Adobe AIR 13.0.0.111 and earlier versions for Android should update 
to Adobe AIR 14.0.0.110.

Users of Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh 
should update to Adobe 14.0.0.110.

Affected software versions

Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.359 and earlier versions for Linux
Adobe AIR 13.0.0.111 SDK and earlier versions
Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions
Adobe AIR 13.0.0.111 and earlier versions for Android
Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe recommends users update their software installations by following the 
instructions below:

Adobe recommends users of Adobe Flash Player 13.0.0.214 and earlier versions 
for Windows and Macintosh update to the newest version 14.0.0.125 by 
downloading it from the Adobe Flash Player Download Center, or via the update 
mechanism within the product when prompted.

Adobe recommends users of Adobe Flash Player 11.2.202.359 and earlier versions
for Linux update to Adobe Flash Player 11.2.202.378 by downloading it from the
Adobe Flash Player Download Center.

Adobe Flash Player 13.0.0.214 installed with Google Chrome will automatically 
be updated to the latest Google Chrome version, which will include Adobe Flash 
Player 14.0.0.125 for Windows, Macintosh and Linux.

For users of Flash Player 13.0.0.214 and earlier versions for Windows and
Macintosh, who cannot update to Flash Player 14.0.0.125, Adobe has made 
available Flash Player 13.0.0.223*, which can be downloaded from 
http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which
will include Adobe Flash Player 14.0.0.125 for Windows 8.0.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which 
will include Adobe Flash Player 14.0.0.125 for Windows 8.1.

Users of the Adobe AIR 13.0.0.111 SDK should update to the Adobe AIR 
14.0.0.110 SDK.

Users of the Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions should 
update to the Adobe AIR 14.0.0.110 SDK & Compiler.

Users of Adobe AIR 13.0.0.111 and earlier versions for Android should update 
to Adobe AIR 14.0.0.110.

Users of Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh 
should update to Adobe 14.0.0.110.

* Beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows replaced 
version 11.7 as the extended support version. Adobe recommends users upgrade 
to version 13 in order to continue to receive security updates.  See this blog
post for further details. 
http://blogs.adobe.com/flashplayer/2014/03/upcoming-changes-to-flash-players-extended-support-release.html

Priority and severity ratings

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installation to the newest version:

Product 		Updated version 	Platform 				Priority rating

Adobe Flash Player 	14.0.0.125		Windows and Macintosh			1
		  	14.0.0.125		Internet Explorer 10 for Windows 8.0 	1
		  	14.0.0.125		Internet Explorer 11 for Windows 8.1 	1
		  	14.0.0.125		Chrome for Windows, Macintosh and Linux 1
		  	11.2.202.378 		Linux 					3
Adobe AIR 		14.0.0.110	 	Windows, Macintosh and Android	 	3
Adobe AIR SDK and  	14.0.0.110		Windows, Macintosh, Android and iOS 	3
Compiler
Adobe AIR SDK	 	14.0.0.110		Windows, Macintosh, Android and iOS	3

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Flash Player 13.0.0.214 and 
earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 
and earlier versions for Linux. These updates address vulnerabilities that 
could potentially allow an attacker to take control of the affected system. 
Adobe recommends users update their product installations to the latest 
versions:

Users of Adobe Flash Player 13.0.0.214 and earlier versions for Windows and 
Macintosh should update to Adobe Flash Player 14.0.0.125.

Users of Adobe Flash Player 11.2.202.359 and earlier versions for Linux should 
update to Adobe Flash Player 11.2.202.378.

Adobe Flash Player 13.0.0.214 installed with Google Chrome will automatically
be updated to the latest Google Chrome version, which will include Adobe Flash
Player 14.0.0.125 for Windows, Macintosh and Linux.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 10 will 
automatically be updated to the latest Internet Explorer 10 version, which will
include Adobe Flash Player 14.0.0.125 for Windows 8.0.

Adobe Flash Player 13.0.0.214 installed with Internet Explorer 11 will 
automatically be updated to the latest Internet Explorer 11 version, which will
include Adobe Flash Player 14.0.0.125 for Windows 8.1.

Users of the Adobe AIR 13.0.0.111 SDK and earlier versions should update to the
Adobe AIR 14.0.0.110 SDK.

Users of the Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions should 
update to the Adobe AIR 14.0.0.110 SDK & Compiler.

Users of Adobe AIR 13.0.0.111 and earlier versions for Android should update
to Adobe AIR 14.0.0.110.

Users of Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh 
should update to Adobe 14.0.0.110.

These updates resolve cross-site-scripting vulnerabilities (CVE-2014-0531, 
CVE-2014-0532, CVE-2014-0533).

These updates resolve security bypass vulnerabilities (CVE-2014-0534, 
CVE-2014-0535).

These updates resolve a memory corruption vulnerability that could result in 
arbitrary code execution (CVE-2014-0536).

Affected Software 	  	Recommended Player Update 	Availability
Flash Player 13.0.0.214 and  	14.0.0.125 			Flash Player Download Center
earlier versions for Windows 
and Macintosh

Flash Player 13.0.0.214 and  	14.0.0.125			Flash Player Licensing
earlier versions (network 
distribution) 

Flash Player 11.2.202.359 	11.2.202.378 			Flash Player Download Center
and earlier for Linux 

Flash Player 13.0.0.214 and  	14.0.0.125			Google Chrome Releases
earlier for Chrome (Windows, 	 	
Macintosh and Linux) 

Flash Player 13.0.0.214 and 	14.0.0.125			Microsoft Security Advisory
earlier in Internet Explorer 
10 for Windows 8.0 

Flash Player 13.0.0.214 and 	14.0.0.125			Microsoft Security Advisory
earlier in Internet Explorer 11 
for Windows 8.1 

AIR 13.0.0.111 SDK & Compiler  	14.0.0.110 			AIR SDK Download
and earlier versions 

AIR 13.0.0.111 SDK and   	14.0.0.110			AIR SDK Download
earlier versions 	

AIR 13.0.0.111 and earlier   	14.0.0.110 			AIR Download Center
versions for Windows and 
Macintosh 	

AIR 13.0.0.111 and earlier 	14.0.0.110 			Google Play
versions for Android 

Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers:

Erling Ellingsen of Facebook (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533)
Masato Kinugawa (CVE-2014-0534)
Bas Venis (CVE-2014-0535)
Leong Wai-Meng of Trend Micro (CVE-2014-0536)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU5e1bxLndAQH1ShLAQK4jA//U0uynXoVJDRBL6SM02dLljnYGkxsDHQd
jZLUAWSkxGm19KFdXOiwdFUOIU/A1tP1mLrRt9c0PbjDyxBVgSyXfq0WYY95unsw
LW3T54XLpQ4RxfaGx9zeGTYTzEimn3LtDr1OjDbSdgCYa4tx9bNvfET09BN/wxB1
rbFrzfiGk3GalCxK5rpG5ZBM19ggo4np+hJ8AzIHr0Aea7ZBmGB5p/wsISd37AWU
4XorpxIY2iNeGjcYYzmP6NfPvkUp+0nWaiac2KGfnvuF3w6vyLR6C5PHAySk5YCk
oIAkpmHU9DAXjS0QOA5hVc+KR9s9q3CEw/vbKsNDdKB9NFceXbMTye9ZGbGqQG2r
09nYHuvO2BTbnwWqQb+uZ3DU0dxtNh59YgjKrbPxw5M0afqDomo63PDqF4rJApY9
wLH/qTcKTbojbfWm3T6bWcBEjmKpaVIbn0HPO9jyKRE2OPpCgPHbrg43sHvE+iGu
pxLflMp6AfwUWI4p/UV4K76hpjwKUVi4WP7gjf74QMWEsSZ6brpDQ5faTYNma1Ft
DUV3w6RctX5CZ0/Yxql10v4EmFovTIQNQ/o5/GxSMPtOPGDgZhmxLdQHkY9cKg49
aHhJchTBxY8oQNvThgsfmnWBHV6jNs9uHdgkRvAx7fylr4v4SxDC1+0p5R9WMkyF
cVFe90FcqZI=
=/QOV
-----END PGP SIGNATURE-----