-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0012 Title: Adobe Flash Player - Multiple Vulnarabilities Version history: 11.11.2011 Initial publication Summary ======= Critical vulnerabilities have been identified in Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for Android. [1] CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460 Severity Level[3]: CVSS2 Base 6.8/10 Remote Yes Local No Credibility Vendor Confirmed Ease No Exploit Available Authentication Not Required This issue is fixed in: Adobe Flash Player 11.1.102.55 (for Windows, Macintosh, Linux and Solaris) Adobe Flash Player 11.1.102.59 (for Android) Adobe AIR 3.1.0.4880 Potential impact ================ These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Vulnerable Systems ================== Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player 11.0.1.153 and earlier versions for Android Adobe AIR 3.0 and earlier versions for Windows, Macintosh, and Android What can you do? ================ Solutions: Updates are available.[2,3,4] Mitigating Strategies ===================== Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits. What to tell your users? ======================== Standard security best practices apply: Do not accept or execute files from untrusted or unknown sources. To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. Do not follow links provided by unknown or untrusted sources. To reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb11-28.html [2] http://get.adobe.com/flashplayer/ [3] https://market.android.com/details?id=com.adobe.flashplayer&hl=en [4] http://get.adobe.com/air/ [5] CVSS details: CVSS Version 2 Scores CVSS2 Base 6.8 CVSS2 Temporal 5 CVSS2 Base Vector AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS2 Temporal VectorE:U/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOvSayOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4N0Sw/8CoAEn11x iCUEoLceg5bAwG6JOQ7wao/ProVMX8pRuqaCTnwOJtxMT1dRm1DMtDbip9qt0s6c BKg7YEfDTjJ6eWOwymB5AnybAVXUSklnI6irCCRa0ii+EVHKBbpJH2BelIcLuSAJ Eq8GKtsKVEjypYS79Cf22b34UykFaPxdxVFDj931qu3BOxxuOG6XuI/Oj86ES8i7 l1r+Dg7XHdZXSYzc5wqQukaWGCQU+hqsJAf9RYvxi+YfEmBA3zkjQiPD5nfbAFy3 XIAovq/d2pFRhp3yGTr1Myl5sEJQyGCh/Wyx+ohe5euA5ECrurdxvQc+wJjKBL2m NPCzvw+ZPyG0thVF662dGuDBnD0I6c9dgKxM95MEk+GgZFhavSbUv1Pl85z1oZ0F OnaRK1pmPbJSjfPhIiu7kNmWvF1iqns9CZym/YDwtdVgADiLRbExbezQiJ3iYA+L ZIIJEA1ywS3jp8BrIhgQUSyo/5QX35hB4XxHFkPWFekaypXlc1/146XDGM6QKCRW MFW6Fag9VLaUHUdQP9JQqyOVThK6iGP1g4wATIPNgc6FQxzfPT8+wO4ctHtdEXdw mLtTDKBJnyyxjhud/vEMJnnaKy9cWiEZvwurBBRKPLic4XONsTV32rO9HDpQph9W RTzeNvSpQZFaCTw1W7MfrU/+AV7F4iaKLWk= =s/0A -----END PGP SIGNATURE-----