-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0142 Title: Security Updates Available for Adobe Flash Player [1] Version history: 12.12.2012 Initial publication Summary ======= Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. These updates address critical vulnerabilities in the software. CVE numbers[4]: CVE-2012-5676, CVE-2012-5677, CVE-2012-5678 Vulnerable systems ================== Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh Adobe Flash Player 11.2.202.251 and earlier versions for Linux Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS) To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page[2], or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote[3]. Original Details ================ TThese updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2012-5676). These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-5677). These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-5678). What can you do? ================ Adobe recommends users update their product installations to the latest versions[1]: Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135. Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136. Users of Adobe Flash Player 11.2.202.251 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.258. Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.5 for Windows, Macintosh and Linux. Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.377.15. Users of Adobe Flash Player 11.1.115.27 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.34. Users of Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.29. Users of Adobe AIR 3.5.0.600 for Windows should update to Adobe AIR 3.5.0.880. Users of Adobe AIR 3.5.0.600 for Macintosh should update to Adobe AIR 3.5.0.890. Users of the Adobe AIR 3.5.0.600 SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.880 SDK (Windows) or the Adobe AIR 3.5.0.890 SDK (Macintosh). What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb12-24.html [2] http://www.adobe.com/products/flash/about/ [3] http://helpx.adobe.com/air/kb/determine-version-air-runtime.html [4] http://cve.mitre.org/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQyJucAAoJEPpzpNLI8SVoGtsP/jsHgbN87LGS3iscvCOiy4Bt dOW9IOMk01BFbbDLi8IE8PxZaIMO8Nf00CGQjbBYiT7TXAkmUTXuj/xbg7gEcfbS 77XeUIXpUgLtevI843XiTmRknvFW2972D6O4lk/1bx3ACpDcPlLRBMla7/XX6thj /S+eMUN/d4C88CX+VzVJziFpllhoCBjQDdm7lnc4l/1PIk8o9GXwloU76RH2lkD2 QvM529tY8jeHpj1jsynz6kmzy+OKop/SWxsGgieIDzljm0uNFc6F5UdjTgoX3EOC O2K/ZGGrJUpgImSjGKeghOGelbCTc7dQmO4lBW4uJ6VgUKK1p3E2uQnOdCmY1tMa a3WjcO636Rm/pZPtXHfPbFO61YQPhe1qMgVi4KWtv19Yli3sXnfKRFsv1lNO4Cco bhkXY3MTJrarbQF/o4jWdXVJPj1GtwIe/mHeHi/bt60dofF1ypwrHGievyiIlxMu zcYNWMkl4+yTy2kRxbiPVAu4iVR7nHXDn0jgxBS1bR7c1rPhYSkFsRY03101EVBP mrbompNn/6Ge603rioII3/gxDPnrkjeMDEUiEDgbUqHtKzKuO70F4LpOL2aIW1Zy 1BL1DPPdUHnATnAD+/XqJzhZL1a+LsYKPWvovJdKU3gXDG54AO9U+3AKAFpNwxhz kiKYqHzyo0O1fVNO/gds =3FOM -----END PGP SIGNATURE-----