Reference: CERT-EU Security Advisory 2011-0004 Title: Adobe emergency patch for multiple Flash Player vulnerabilities Version history: 22.09.2011 Initial publication Summary ======= Adobe announced[1] the availability of a patch for multiple critical vulnerabilities found in Flash Player. Impacted systems include Windows, Macintosh, Linux, Solaris (10.3.183.7 and earlier Flash Player versions) and Android (10.3.186.6 and earlier Flash Player versions). The patch is assessed as CRITICAL by Adobe and addresses the following security issues CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429, CVE-2011-2430, CVE-2011-2444. These vulnerabilities can lead to the remote control of affected system, denial of service and data leakage. Note that it has been reported that one of the vulnerabilities is currently being exploited in the wild (CVE-2011-2444[2]). The attack vectors are emails with a malicious link that triggers a universal cross-site scripting exploit at clicking. This attack allows to take action with the affected user privileges on other websites or webmail if the user visits a malicious website. What can you do? ================ The patch is available from Adobe[1]. Make sure that the browsers from the different vendors you use are updated. You can verify the installed version in a browser via Adobe website [3]. Note that you have to visit this page with all the browsers of the different vendors to verify the installed version. What to tell your users? ======================== This patch does not concern the end users. Only the system administrators need to take action. More information ================ [1] Adobe Security bulletin http://www.adobe.com/support/security/bulletins/apsb11-26.html [2] Vulnerability CVE-2011-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2444 [3] http://www.adobe.com/software/flash/about/