-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0025 Title: Security Updates Available for Adobe Flash Player [1] Version history: 27.02.2013 Initial publication Summary ======= These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser. CVE Names: CVE-2013-0648 CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [2] CVE-2013-0643 CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [3] CVE-2013-0504 CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) [4] Vulnerable systems ================== Adobe Flash Player 11.6.602.168 and earlier versions for Windows Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh Adobe Flash Player 11.2.202.270 and earlier versions for Linux What can you do? ================ Adobe recommends users update their software installations by following the instructions below: Adobe recommends users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, update to the newest version 11.6.602.171 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows, and users of Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted. For users of Flash Player 10.3.183.63 and earlier versions for Windows and Flash Player 10.3.183.61 and earlier versions for Macintosh, who cannot update to Flash Player 11.6.602.171, Adobe has made available the update Flash Player 10.3.183.67, which can be downloaded here. Adobe recommends users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux update to Adobe Flash Player 11.2.202.273 by downloading it from the Adobe Flash Player Download Center. For users of Flash Player 10.3.183.61 and earlier versions for Linux, who cannot update to Flash Player 11.2.202.273, Adobe has made available the update Flash Player 10.3.183.67, which can be downloaded here. Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux. Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.171 for Windows. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] https://www.adobe.com/support/security/bulletins/apsb13-08.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0648 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0643 [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0504 Best regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRLjzoAAoJEPpzpNLI8SVoNp4P/RrTeMJDI4mjPt7QWZryioBp tdmq/vTSWQzAQ4ov5E55XkTZ38mBeX+g42El1TaAE5Rc/kUO9DsHW+Ss/6bO3MJM /FJPGmAGMssVBXdvf3LHlrpUC+Qi+IFTJXp5ZWxm88lw2ZExlK8s98FzKTnFDEuX obQP0KXiDY1fDa3hnpN2iiDfTVJH15iIrvsDyTQhbih1tRfEcOa/zChw+qJ9EB6S KEsb53EZvpxWPhDt2tjaDtrmzLrzkc1rZr0uYp8SZoaEEOkYvTH1uqQfKyyI6Duc yMCIYSpp8mAy/MRvB3st3HCCh0X+ZrmbAIYT+T4WIaf+cJ/2YdqSDqGC43eB+QtV coQ2BhpziyjcOIB5J8yKsMV7dLrjQ+P7aMJOA20kY8d1cjOOoxRFFiUA+sg7RTqp uGRBKP/UjAJIFXWh2pXlLgpWe3mlKFZUnF4TrmTyynlT2rRTmOX/0b0+GVfunJgK 4/hZ8IQ9NxANBOk1kdMVk+w7chPZmt/83GJ3MZbPCFNSaP0gOU7Q9DkWgysC2Fjo yQcPBc/Zo28ihL/VX4wFP9xQML7RFI5eaZredsWZpcwk5jHOMQW/Gb1aYdn9fM5q qX1/LXnLzAicfmGZ1AEIIgYIJZSW4/vRoYeXHcIqv3dv4bDZY8zL8XUPMY0BEVhQ ry+cmMEJ+8Dn7upVVzM0 =Qik8 -----END PGP SIGNATURE-----