Reference: CERT-EU Security Advisory 2011-0004

Title: Adobe emergency patch for multiple Flash Player vulnerabilities

Version history:
22.09.2011 Initial publication


Summary
=======
Adobe announced[1] the availability of a patch for multiple critical
vulnerabilities found in Flash Player.

Impacted systems include Windows, Macintosh, Linux, Solaris (10.3.183.7 and
earlier Flash Player versions) and Android (10.3.186.6 and earlier Flash
Player versions).

The patch is assessed as CRITICAL by Adobe and addresses the following
security issues CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429,
CVE-2011-2430, CVE-2011-2444.

These vulnerabilities can lead to the remote control of affected system,
denial of service and data leakage.
Note that it has been reported that one of the vulnerabilities is currently
being exploited in the wild (CVE-2011-2444[2]). The attack vectors are emails
with a malicious link that triggers a universal cross-site scripting exploit
at clicking. This attack allows to take action with the affected user
privileges on other websites or webmail if the user visits a malicious
website.


What can you do?
================
The patch is available from Adobe[1].
Make sure that the browsers from the different vendors you use are updated.
You can verify the installed version in a browser via Adobe website [3]. Note
that you have to visit this page with all the browsers of the different
vendors to verify the installed version.


What to tell your users?
========================
This patch does not concern the end users. Only the system
administrators need to take action.


More information
================
[1] Adobe Security bulletin
http://www.adobe.com/support/security/bulletins/apsb11-26.html

[2] Vulnerability CVE-2011-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2444

[3] http://www.adobe.com/software/flash/about/