-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Security Advisory for Adobe Flash Player
5 February 2015
AusCERT Security Bulletin Summary
Product: Adobe Flash Player
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
CVE Names: CVE-2015-0313
Comment: Adobe is aware of reports that this vulnerability is being actively
exploited in the wild via drive-by-download attacks against systems
running Internet Explorer and Firefox on Windows 8.1 and below.
Revision History: February 5 2015: Updated to include Flash Player version
delivered via auto-update
February 3 2015: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Adobe Security Bulletin
Security Advisory for Adobe Flash Player
Release date: February 2, 2015
Last updated: February 4, 2015
Vulnerability identifier: APSA15-02
CVE number: CVE-2015-0313
Platform: All Platforms
A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player
22.214.171.1246 and earlier versions for Windows and Macintosh. Successful
exploitation could cause a crash and potentially allow an attacker to take
control of the affected system. We are aware of reports that this
vulnerability is being actively exploited in the wild via drive-by-download
attacks against systems running Internet Explorer and Firefox on Windows 8.1
UPDATE (February 4): Users who have enabled auto-update for the Flash Player
desktop runtime will be receiving version 126.96.36.1995 beginning on February 4.
This version includes a fix for CVE-2015-0313. Adobe expects to have an update
available for manual download on February 5, and we are working with our
distribution partners to make the update available in Google Chrome and
Internet Explorer 10 and 11. For more information on updating Flash Player
please refer to this post.
Affected software versions
Adobe Flash Player 188.8.131.526 and earlier versions for Windows and
Adobe Flash Player 184.108.40.2064 and earlier 13.x versions
To verify the version of Adobe Flash Player installed on your system, access
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you
use multiple browsers, perform the check for each browser you have installed
on your system.
Adobe categorizes this as a critical vulnerability.
Adobe would like to thank the following individuals and organizations for
reporting CVE-2015-0313 and for working with Adobe to help protect our
Elia Florio and Dave Weston of Microsoft
Peter Pi of Trend Micro
February 2, 2015 - removed Flash Player version 11.x from the list of affected
versions. Version 11.x and earlier do not support the functionality affected
February 4, 2015 - updated to include Flash Player version delivered via
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----