-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.3077
             Security updates available for Adobe Flash Player
                              9 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
                   Adobe AIR
                   Adobe AIR SDK
Publisher:         Adobe
Operating System:  Windows
                   OS X
                   Android
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8455 CVE-2015-8454 CVE-2015-8453
                   CVE-2015-8452 CVE-2015-8451 CVE-2015-8450
                   CVE-2015-8449 CVE-2015-8448 CVE-2015-8447
                   CVE-2015-8446 CVE-2015-8445 CVE-2015-8444
                   CVE-2015-8443 CVE-2015-8442 CVE-2015-8441
                   CVE-2015-8440 CVE-2015-8439 CVE-2015-8438
                   CVE-2015-8437 CVE-2015-8436 CVE-2015-8435
                   CVE-2015-8434 CVE-2015-8433 CVE-2015-8432
                   CVE-2015-8431 CVE-2015-8430 CVE-2015-8429
                   CVE-2015-8428 CVE-2015-8427 CVE-2015-8426
                   CVE-2015-8425 CVE-2015-8424 CVE-2015-8423
                   CVE-2015-8422 CVE-2015-8421 CVE-2015-8420
                   CVE-2015-8419 CVE-2015-8418 CVE-2015-8417
                   CVE-2015-8416 CVE-2015-8415 CVE-2015-8414
                   CVE-2015-8413 CVE-2015-8412 CVE-2015-8411
                   CVE-2015-8410 CVE-2015-8409 CVE-2015-8408
                   CVE-2015-8407 CVE-2015-8406 CVE-2015-8405
                   CVE-2015-8404 CVE-2015-8403 CVE-2015-8402
                   CVE-2015-8401 CVE-2015-8071 CVE-2015-8070
                   CVE-2015-8069 CVE-2015-8068 CVE-2015-8067
                   CVE-2015-8066 CVE-2015-8065 CVE-2015-8064
                   CVE-2015-8063 CVE-2015-8062 CVE-2015-8061
                   CVE-2015-8060 CVE-2015-8059 CVE-2015-8058
                   CVE-2015-8057 CVE-2015-8056 CVE-2015-8055
                   CVE-2015-8054 CVE-2015-8053 CVE-2015-8052
                   CVE-2015-8051 CVE-2015-8050 CVE-2015-8049
                   CVE-2015-8048 CVE-2015-8047 CVE-2015-8045

Reference:         ESB-2015.2862

Original Bulletin: 
   https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Release date: December 8, 2015

Last updated: December 8, 2015

Vulnerability identifier: APSB15-32

Priority: See table below

CVE number: CVE-2015-8045, CVE-2015-8047, CVE-2015-8048, CVE-2015-8049, 
CVE-2015-8050, CVE-2015-8418, CVE-2015-8454, CVE-2015-8455, CVE-2015-8055, 
CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8060, 
CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, 
CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, 
CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, 
CVE-2015-8405, CVE-2015-8406, CVE-2015-8407, CVE-2015-8408, CVE-2015-8409, 
CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, 
CVE-2015-8415, CVE-2015-8416, CVE-2015-8417, CVE-2015-8419, CVE-2015-8420, 
CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, 
CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, 
CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, 
CVE-2015-8436, CVE-2015-8437, CVE-2015-8438, CVE-2015-8439, CVE-2015-8440, 
CVE-2015-8441, CVE-2015-8442, CVE-2015-8443, CVE-2015-8444, CVE-2015-8445, 
CVE-2015-8446, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, 
CVE-2015-8451, CVE-2015-8452, CVE-2015-8453

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player. These updates 
address critical vulnerabilities that could potentially allow an attacker to 
take control of the affected system.

Affected Versions

Product 						Affected Versions 		Platform

Adobe Flash Player Desktop Runtime 			19.0.0.245 and earlier 		Windows and Macintosh

Adobe Flash Player Extended Support Release 		18.0.0.261 and earlier 		Windows and Macintosh

Adobe Flash Player for Google Chrome 			19.0.0.245 and earlier 		Windows, Macintosh, Linux and ChromeOS

Adobe Flash Player for Microsoft Edge and 
Internet Explorer 11 					19.0.0.245 and earlier 		Windows 10

Adobe Flash Player for Internet Explorer 10 and 11 	19.0.0.245 and earlier 		Windows 8.0 and 8.1

Adobe Flash Player for Linux 				11.2.202.548 and earlier 	Linux

AIR Desktop Runtime 					19.0.0.241 and earlier 		Windows and Macintosh

AIR SDK 						19.0.0.241 and earlier 		Windows, Macintosh, Android and iOS

AIR SDK & Compiler 					19.0.0.241 and earlier 		Windows, Macintosh, Android and iOS

AIR for Android 					19.0.0.241 and earlier 		Android

To verify the version of Adobe Flash Player installed on your system, 
access the About Flash Player page, or right-click on content running in Flash
Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If
you use multiple browsers, perform the check for each browser you have 
installed on your system.

To verify the version of Adobe AIR installed on your system, follow the 
instructions in the Adobe AIR TechNote.

Solution

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installation to the newest version:

Product 								Updated Versions 	Platform 		Priority 	Availability

Adobe Flash Player Desktop Runtime (support for Internet Explorer) 	20.0.0.228		Windows and Macintosh 	1		Flash Player Download Center
																	Flash Player Distribution

Adobe Flash Player Desktop Runtime (support for Firefox and Safari) 	20.0.0.235	 	Windows and Macintosh 	1		Flash Player Download Center
																	Flash Player Distribution

Adobe Flash Player Extended Support Release 				18.0.0.268 		Windows and Macintosh 	1	 	Extended Support

Adobe Flash Player for Google Chrome 					20.0.0.228 		Windows, Macintosh, 
												Linux and ChromeOS 	1 		Google Chrome Releases

Adobe Flash Player for Microsoft Edge and Internet Explorer 11 		20.0.0.228 		Windows 10 		1 		Microsoft Security Advisory

Adobe Flash Player for Internet Explorer 10 and 11 			20.0.0.228 		Windows 8.0 and 8.1	1 		Microsoft Security Advisory

Adobe Flash Player for Linux 						11.2.202.554 		Linux 			3 		Flash Player Download Center

AIR Desktop Runtime 							20.0.0.204 		Windows and Macintosh 	3 		AIR Download Center

AIR SDK 								20.0.0.204 		Windows, Macintosh, 
												Android and iOS 	3 		AIR SDK Download

AIR SDK & Compiler 							20.0.0.204		Windows, Macintosh, 
												Android and iOS 	3		AIR SDK 
Download

AIR for Android 							20.0.0.204 		Android 		3 		Google Play

Adobe recommends users of the Adobe Flash Player Desktop Runtime for 
Windows and Macintosh update to 20.0.0.228 (support for Internet Explorer) and
20.0.0.235 (support for Firefox and Safari) by visiting the Adobe Flash Player
Download Center, or via the update mechanism within the product when prompted
[1].

Adobe recommends users of the Adobe Flash Player Extended Support Release
should update to version 18.0.0.268 by visiting 
http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

Adobe recommends users of Adobe Flash Player for Linux update to Adobe 
Flash Player 11.2.202.554 by visiting the Adobe Flash Player Download Center.

Adobe Flash Player installed with Google Chrome will be automatically 
updated to the latest Google Chrome version, which will include Adobe Flash 
Player 20.0.0.228 for Windows, Macintosh, Linux and Chrome OS.

Adobe Flash Player installed with Microsoft Edge and Internet Explorer for
Windows 10 will be automatically updated to the latest version, which will 
include Adobe Flash Player 20.0.0.228.

Adobe Flash Player installed with Internet Explorer for Windows 8.x will 
be automatically updated to the latest version, which will include Adobe Flash
Player 20.0.0.228.

Adobe recommends users of the AIR desktop runtime, AIR SDK and AIR SDK & 
Compiler update to version 20.0.0.204 by visiting the AIR download center or 
the AIR developer center.

Please visit the Flash Player Help page for assistance in installing Flash
Player.

[1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x
or later for Macintosh, who have selected the option to 'Allow Adobe to 
install updates' will receive the update automatically. Users who do not have
the 'Allow Adobe to install updates' option enabled can install the update via
the update mechanism within the product when prompted.

Vulnerability Details

These updates resolve heap buffer overflow vulnerabilities that could lead
to code execution (CVE-2015-8438, CVE-2015-8446).

These updates resolve memory corruption vulnerabilities that could lead to
code execution (CVE-2015-8444, CVE-2015-8443, CVE-2015-8417, CVE-2015-8416, 
CVE-2015-8451, CVE-2015-8047, CVE-2015-8455, CVE-2015-8045, CVE-2015-8418, 
CVE-2015-8060, CVE-2015-8419, CVE-2015-8408).

These updates resolve security bypass vulnerabilities (CVE-2015-8453, 
CVE-2015-8440, CVE-2015-8409).

These updates resolve a stack overflow vulnerability that could lead to 
code execution (CVE-2015-8407).

These updates resolve a type confusion vulnerability that could lead to 
code execution (CVE-2015-8439).

These updates resolve an integer overflow vulnerability that could lead to
code execution (CVE-2015-8445).

These updates resolve a buffer overflow vulnerability that could lead to 
code execution (CVE-2015-8415)

These updates resolve use-after-free vulnerabilities that could lead to 
code execution (CVE-2015-8050, CVE-2015-8049, CVE-2015-8437, CVE-2015-8450, 
CVE-2015-8449, CVE-2015-8448, CVE-2015-8436, CVE-2015-8452, CVE-2015-8048, 
CVE-2015-8413, CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, 
CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, CVE-2015-8425, 
CVE-2015-8433, CVE-2015-8432, CVE-2015-8431, CVE-2015-8426, CVE-2015-8430, 
CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8434, CVE-2015-8435, 
CVE-2015-8414, CVE-2015-8454, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055, 
CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067, CVE-2015-8066, 
CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, CVE-2015-8065, CVE-2015-8063, 
CVE-2015-8405, CVE-2015-8404, CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, 
CVE-2015-8401, CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8441, 
CVE-2015-8442, CVE-2015-8447).

Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers:

Anonymous working with HPE's Zero Day Initiative (CVE-2015-8050, 
CVE-2015-8049, CVE-2015-8437, CVE-2015-8438, CVE-2015-8446)

bee13oy, working with the Chromium Vulnerability Rewards Program 
(CVE-2015-8418)

bilou working with HPE's Zero Day Initiative (CVE-2015-8450, 
CVE-2015-8449, CVE-2015-8448, CVE-2015-8442, CVE-2015-8447, CVE-2015-8445, 
CVE-2015-8439)

Furugawa Nagisa working with HPE's Zero Day Initiative (CVE-2015-8436)

Hui Gao of Palo Alto Networks (CVE-2015-8443, CVE-2015-8444)

instruder of Alibaba Security Threat Information Center (CVE-2015-8060, 
CVE-2015-8408, CVE-2015-8419)

Jie Zeng of Qihoo 360 (CVE-2015-8415, CVE-2015-8416, CVE-2015-8417)

LMX of Qihoo 360 (CVE-2015-8451, CVE-2015-8452)

Natalie Silvanovich of Google Project Zero (CVE-2015-8048, CVE-2015-8413,
CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, CVE-2015-8422, 
CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, CVE-2015-8425, CVE-2015-8433, 
CVE-2015-8432, CVE-2015-8431, CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, 
CVE-2015-8428, CVE-2015-8429, CVE-2015-8434)

Nicolas Joly of Microsoft Security (CVE-2015-8414, CVE-2015-8435)

VUPEN working with HPE's Zero Day Initiative (CVE-2015-8453)

willJ of Tencent PC Manager (CVE-2015-8407)

Yuki Chen of Qihoo 360 Vulcan Team (CVE-2015-8454, CVE-2015-8059, 
CVE-2015-8058, CVE-2015-8055, CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, 
CVE-2015-8067, CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, 
CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404, CVE-2015-8402, 
CVE-2015-8403, CVE-2015-8071, CVE-2015-8401, CVE-2015-8406, CVE-2015-8069, 
CVE-2015-8070, CVE-2015-8440, CVE-2015-8409, CVE-2015-8047, CVE-2015-8455, 
CVE-2015-8045, CVE-2015-8441)

Revisions

December 8, 2015: Removed CVE-2015-8051, CVE-2015-8052 and CVE-2015-8053 (all
were previously assigned). Added CVE-2015-8418 (replacement for 
CVE-2015-8051), CVE-2015-8454 (replacement for CVE-2015-8052) and 
CVE-2015-8455 (replacement for CVE-2015-8053). Also removed CVE-2015-8054, 
which was mistakenly included in the original bulletin.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVmfQKn6ZAP0PgtI9AQJtLQ/9H92dz/8mpYeENygFJ3jCvIKsvALEW5gK
sZyZ+CiqNuvEw+HpW3Aj3ErHG3HPRAW8y1a0jfLpJOn8O92CQUBRqgHZ5ivwwWzq
A2V5XW0c/BrHJz4IRyk84ZrhoZ4vB1FWskAap9NkaIsMdwOq6TgsMoZzrOVaCunw
X0vm8AIgFSXGGsfGjE2/oT2IkuZdtt/mI6xQuKDxW8THkOG0Ka4tPWYshbUV/AxH
spPD7rdwvRPixQ64it0rwf01bvuPtUN+KvGbXLDkiD/0RnmdztTERxs/5EFQnEKC
1YRptsI/sZvdhuOVf8IrW/jK1SdGWADTEZs7ni8cDCgukwCEb4+WMr9GTyt8WaLH
3gDbw5vYY/9wXc6zCW2OSU6gQBuTUHR4IgQUgho0+JDblAwrlu8Vh2a4fAeRmD2U
DoUWYCXq58ryJupYJzFbEFGW7uiJjabrGQOK3I9cEMEm6xvet3AZyzApEW/GzyLX
czHsQscrg2NiHmJY7IjZuUNjoJIYrlbv366blPGQxxWD9RAAcBFjU7qlOSlwXtQM
tAUxzcbZvj5LSrG/DzFsdi7H3UmTeeAZDFrumtyEdnzGo2x3UdBZdjroch+unAup
VRsuoVcNWG05VQmqCX0mfC/iq5e8VvxEQO6FR6GTBnz+8bVBOduYyDo7keaMETSx
EsdBviH/IbA=
=hHkR
-----END PGP SIGNATURE-----