Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                 Security Advisory for Adobe Flash Player
                              5 February 2015


        AusCERT Security Bulletin Summary

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0313  

Original Bulletin: 

Comment: Adobe is aware of reports that this vulnerability is being actively
         exploited in the wild via drive-by-download attacks against systems
         running Internet Explorer and Firefox on Windows 8.1 and below.

Revision History:  February 5 2015: Updated to include Flash Player version 
                                    delivered via auto-update
                   February 3 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security Advisory for Adobe Flash Player

Release date: February 2, 2015

Last updated: February 4, 2015

Vulnerability identifier: APSA15-02

CVE number: CVE-2015-0313

Platform: All Platforms


A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player and earlier versions for Windows and Macintosh. Successful 
exploitation could cause a crash and potentially allow an attacker to take 
control of the affected system. We are aware of reports that this 
vulnerability is being actively exploited in the wild via drive-by-download 
attacks against systems running Internet Explorer and Firefox on Windows 8.1 
and below.

UPDATE (February 4): Users who have enabled auto-update for the Flash Player 
desktop runtime will be receiving version beginning on February 4.
This version includes a fix for CVE-2015-0313. Adobe expects to have an update 
available for manual download on February 5, and we are working with our 
distribution partners to make the update available in Google Chrome and 
Internet Explorer 10 and 11. For more information on updating Flash Player 
please refer to this post.   

Affected software versions

    Adobe Flash Player and earlier versions for Windows and 

    Adobe Flash Player and earlier 13.x versions

To verify the version of Adobe Flash Player installed on your system, access 
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you 
use multiple browsers, perform the check for each browser you have installed 
on your system.

Severity ratings

Adobe categorizes this as a critical vulnerability.


Adobe would like to thank the following individuals and organizations for 
reporting CVE-2015-0313 and for working with Adobe to help protect our 

    Elia Florio and Dave Weston of Microsoft

    Peter Pi of Trend Micro


February 2, 2015 - removed Flash Player version 11.x from the list of affected
versions. Version 11.x and earlier do not support the functionality affected 
by CVE-2015-0313.

February 4, 2015 - updated to include Flash Player version delivered via 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967