-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0046 Title: Multiple vulnerabilities in Adobe Flash Player [1] Version history: 29.03.2012 Initial publication Summary ======= Adobe has released a patch for two vulnerabilities found in the Flash Player product. This update resolves: - - a memory corruption vulnerability related to URL security domain checking that could lead to code execution (ActiveX, Windows 7 or Vista only) (CVE-2012-0772). - - a memory corruption vulnerability in the NetStream class that could lead to code execution (CVE-2012-0773). These vulnerabilities may lead to unauthorised access to the targeted system or cause a denial of service (memory corruption). The vendor has assessed these vulnerabilities as CRITICAL. CVSS v2 Base Score: 9.0 (CRITICAL) (AV:N/AC:M/Au:N/C:C/I:C/A:P)[4] Vulnerable systems ================== Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x Adobe AIR 3.1.0.4880 and earlier versions for Windows, Macintosh and Android *Note: Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x are not affected by these issues. To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. Original Details ================ CVE-2012-0772 An unspecified ActiveX control in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228, and AIR before 3.2.0.2070, on Windows does not properly perform URL security domain checking, which allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors. CVE-2012-0773 The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228 on Windows, Mac OS X, and Linux; Flash Player before 10.3.183.18 and 11.x before 11.2.202.223 on Solaris; Flash Player before 11.1.111.8 on Android 2.x and 3.x; and AIR before 3.2.0.2070 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. What can you do? ================ Fix is available [1]. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb12-07.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0772 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0773 [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPdHIxAAoJEPpzpNLI8SVoiRgQAKRp3avHpP3brCYyV3zP9TUg QybMba5YbOi/JRhdsHJbT8Vwt50AFdwVhP91riEFxFFtkQOlPVrHmgYooM8A8KuA E8uBxSSg692jc1M+3a22S6BCpD1CDgujSO80annJNN30tq61FOfkmxI7wrbUK1c4 m06RP/CWnEqWjG9R9ZYvFrxoG5Xq8NsuDUkV8dUsxMJDiX3yEAWiBdst2EH12Zgn SHWs2BZQKTtiZuAOd90tQGOCvLpC80B9Usvv3YXbavVFR6fqbdFlVPHzO7fw8svi MB1O5rFdXfng6N4hAzM2GrF7ZKLdpZ/2DboIDoJMSNYph6Ar5zW6HvYtEbhqJ+3D weObbq2T97TBun4A3VbSOxrZPoqNXj+/8ci1g1AngQ2CVBy92qQJb/ilK1bhYSzX 0NCZH+Dyrc9sZ86igpaaxFj6dSDwsJjyYyKqdgEChu/khmdZdbgrqfeAdaUOf3Cs ikAn+Wf4Q4wjrtgLYpe+K1BnaG+3id44tH30cWuKZ1VxEnJjZqif7ogTF1UhBfz0 0CMVdcBaWmUbYJNI+DHKp/jxXt4KnI0ULSFJE1Ny7dA1ih3x77lJea1h0466Kblu JrdhttAmDoOQn3CJ9/b3ECdFEFsMl/40fABvdIKLwcw63NGJy3V4BNQKJMfq86tb wd49MA52epUrYqO/twA8 =G6+q -----END PGP SIGNATURE-----