copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0771 - ALERT [Win][Linux][Mac][OSX] Adobe Flash Player: Execute arbitrary code/commands - Remote with user interaction

Date: 15 August 2012
References: ASB-2012.0116  ESB-2012.0784  ESB-2012.0814  ESB-2012.0909  ESB-2014.0321  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0771
             Security update available for Adobe Flash Player
                              15 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
Publisher:         Adobe
Operating System:  Linux variants
                   Mac OS X
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-1535  

Original Bulletin: 
   http://www.adobe.com/support/security/bulletins/apsb12-18.html

Comment: There are reports of this vulnerability being exploited in the wild.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update available for Adobe Flash Player

Release date: August 14, 2012

Vulnerability identifier: APSB12-18

Priority: See table below

CVE number: CVE-2012-1535

Platform: Windows, Macintosh and Linux

SUMMARY

Adobe has released security updates for Adobe Flash Player 11.3.300.270 and
earlier versions for Windows, Macintosh and Linux. These updates address a
vulnerability (CVE-2012-1535) that could cause the application to crash and
potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in
limited targeted attacks, distributed through a malicious Word document. The
exploit targets the ActiveX version of Flash Player for Internet Explorer on
Windows.

Adobe recommends users update their product installations to the latest
versions:

Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and
Macintosh should update to Adobe Flash Player 11.3.300.271.

Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should
update to Adobe Flash Player 11.2.202.238.

Flash Player installed with Google Chrome will be updated automatically, so no 
user action is required. Google Chrome users can verify that they have updated
to Google Chrome version 21.0.1180.79.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and
Linux operating systems

To verify the version of Adobe Flash Player installed on your system, access
the About Flash Player page, or right-click on content running in Flash Player
and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use
multiple browsers and did not select the option to 'Allow Adobe to install
updates' (Windows and Macintosh only), perform the check for each browser you
have installed on your system.

Note: Adobe Flash Player for Android is not affected by the vulnerability
addressed in this update.

SOLUTION

Adobe recommends users update their software installations by following the
instructions below:

Adobe recommends users of Adobe Flash Player 11.3.300.270 and earlier versions
for Windows and Macintosh should update to the newest version 11.3.300.271 by
downloading it from the Adobe Flash Player Download Center. Users of Flash
Player 11.2.x or later for Windows and Flash Player 11.3.x for Macintosh who
have selected the option to 'Allow Adobe to install updates' will receive the
update automatically. Windows and Macintosh users who do not have the 'Allow
Adobe to install updates' option enabled can install the update via the update
mechanism within the product when prompted.

Flash Player installed with Google Chrome will be updated automatically, so no
user action is required. Google Chrome users can verify that they have updated
to Google Chrome version 21.0.1180.79.

Adobe recommends users of Adobe Flash Player 11.2.202.236 and earlier versions
for Linux should update to Adobe Flash Player 11.2.202.238 by downloading it
from the Adobe Flash Player Download Center.

PRIORITY AND SEVERITY RATINGS

Adobe categorizes these updates with the following priority ratings and
recommends users update their installations to the newest versions:

Product			Updated Version	Platform	Priority Rating
Adobe Flash Player	11.3.300.271	Windows		1
 			11.3.300.271	Macintosh	2
 			11.2.202.238	Linux		2

These updates address a critical vulnerability in the software.

DETAILS

Adobe has released security updates for Adobe Flash Player 11.3.300.270 and
earlier versions for Windows, Macintosh and Linux. These updates address a
vulnerability (CVE-2012-1535) that could cause the application to crash and
potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in
limited targeted attacks, distributed through a malicious Word document. The
exploit targets the ActiveX version of Flash Player for Internet Explorer on
Windows.

Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and
Macintosh should update to Adobe Flash Player 11.3.300.271.

Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should
update to Adobe Flash Player 11.2.202.238.

Flash Player installed with Google Chrome will be updated automatically, so no
user action is required. Google Chrome users can verify that they have updated
to Google Chrome version 21.0.1180.79.

Affected software		Recommended player update	Availability
Flash Player 11.3.300.270 and	11.3.300.271			Flash Player
earlier for Windows and						Download Center
Macintosh

Flash Player 11.3.300.270 and	11.3.300.271			Flash Player
earlier - network distribution					Licensing

Flash Player 11.2.202.236 and	11.2.202.238			Flash Player
earlier for Linux						Download Center

Flash Player 11.3.300.270 and	11.3.300.271			Google Chrome
earlier for Chrome users					Releases

ACKNOWLEDGMENTS

Adobe would like to thank Alexander Gavrun through iDefense's Vulnerability
Contributor Program for reporting this issue (CVE-2012-1535) and for working
with Adobe to help protect our customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUCsgIu4yVqjM2NGpAQKY3w/+LK22srpcDAOyLvRu1szL3JQWmo4tgRuA
k0KxZTmvw4bK0eK+UStOx+JPC5qHLyYjWwP4k/kL5s0yBMBPZgVyM8U4Fmtx8ZpF
ArGa6ant42m9NFqyldr3tZJkY7Ly2NgGevBnes5MWc6ZNi0qwt3UjpMMYJFlKvw1
GR2m5UmW5axTQGSnTNCwUYSoG8haa+XiRUC5oseCoz61RYMMZQL2GNlzrjrZOeot
yE39vxb04jlNT5CqM8F3TbkWkOJrUcePs+3GX1x44tYQqeH1Hh8ulyXTwTCPXTHA
vDKcilSSAFO4alYyDY1iN9K0J51Wob4la3feXLSchlsxDYObyaz8z17oXA/u+cP+
Vi1CUZEWNhOc3pFZQUaJcLA6SkPxj+4oO7MXmmCOocKRkeQdh7r+/LT0l3OdWiGC
ukMHZMjFoeiFdJ/DolfkzhJgH77WydMKRbn6ZOQv+MZ1z2itqhb27SRX2eHNP+Ud
j9/1sVm6m0/iN+lnBjI65hziIz1dXMGjpSv4t/hlB96G/ShltLUotPVTxM/33JL3
1mBAn0pNAYBM0c5G+dDh8hTjC9DjrKr2+xy/6xYeFdhx0JJksx/HpcdzMcH+UH1Y
jEvK2YKBKFsak228FsjMwrpmeGmjkfzQsdMHtdZPQuzaWpwTaLqqlsCSeDiTmU4/
vsDGhpd2fE8=
=DQfZ
-----END PGP SIGNATURE-----