-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0019 Title: Adobe Flash Player - Multiple Vulnarabilities [1] Version history: 16.02.2012 Initial publication Summary ======= Critical vulnerabilities have been identified in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-0767 Severity Level: CVSS2 Base 10/10 (CRITICAL) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2] Potential impact ================ The vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. ATTENTION: There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Vulnerable Systems ================== Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x What can you do? ================ Install updated versions[1] What to tell your users? ======================== Standard security best practices apply: Do not accept or execute files from untrusted or unknown sources. To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. Do not follow links provided by unknown or untrusted sources. To reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb12-03.html [2] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPPQl/OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MVsQ/+PUyH1FCz wzYlYT4MEfDhrGHzILZWLGVpWxZvkRvHArQ0nr8U/eRXLZ2fU5P512Jhxzd2vPrf 1y/kxGfad7OJiIC84MOlhj6jk4lJz7oxV61nkGb3gU+KyWwG9SVJtL3Dnz90YiBK Y01ztqXtrO/B0lXjd1nld1AWa2cEFfeYpHJe4SnGN71o+Xy4D+gsnKrGaeEOiMkR 0MqHy6jE5Bg2maHUnxL/UsbXIXYHn3pEYit0naq5uhBq2SVQe8HhPQXiJZbVZpbP ZobCY8sdQw4tYCggG37axwJPYSarplt2WQzowtOqcZzZ9j9ZtvudBObpOeYasDrz mbrd464Yj/hqh+HiSizvskm5JvhyJEHBealAJUOFpe/xk4Fo4zmNGbZfVg8uu/DT pcK/Yi7wI4VMFrZHVRW9bsVvaxuV6IFVaHzRVzuCcqhi0Mqgqv//7wAljweCCllK DrAVqiMFybZTr359Unh8Tm5MI3kDLPTXasMpCuv1fPNXoJD81dngXeiMHCh1dmLW ZV/wWO4UKTEPYzA7noRdYmyF/2n59R0L4QEt2aS2d+I1cIfVsJBAp4DaKt8HdAd3 zxLwPJUxsfB67kZjCjuR04hm40Yr/sPLEOGp+qQKg/DLafji4QZDz5UkAaE6oDr+ iowaC9mleuu2i4qwbY0vlpMiJ0o0j/uCYmQ= =KGtv -----END PGP SIGNATURE-----