-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0019 Title: Adobe Flash Player - Multiple Vulnarabilities [1] Version history: 16.02.2012 Initial publication 07.03.2012 Active exploit of CVE-2012-0754. Updates are marked with NEW !! Summary ======= Critical vulnerabilities have been identified in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-0767 Severity Level: CVSS2 Base 10/10 (CRITICAL) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2] Potential impact ================ The vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. ATTENTION: There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). NEW !! There are reports that the CVE-2012-0754 is also being exploited in targeted attacks. [3] Installing of updated version is strongly recommended. Vulnerable Systems ================== Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x What can you do? ================ Install updated versions[1] What to tell your users? ======================== Standard security best practices apply: Do not accept or execute files from untrusted or unknown sources. To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. Do not follow links provided by unknown or untrusted sources. To reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb12-03.html [2] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html [3] http://threatpost.com/en_us/blogs/attackers-target-cve-2012-0754-adobe-flash-bug-030512 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPV3YgAAoJEPpzpNLI8SVoiW0QALIKGORPpGaZwtww85MNRPL8 OGIumMQixamHEBqKNOFVEazNr+P+nIJH8WPhrnUIbljRCux801iWDEkKi25W8rct Jm73rrmEJxImGuDiOxhtMIkw85c4eBSfz4oG0aWYioNfffitRGDW7D8d9lAq2Vi4 PJMdT+RQfDtlrQ3wWOb4WX2Uo0KEIViG2qPhZJFfjpslqjihUb0B+VO9FyN5pUjD r2V7Pkh2imv4giVNDmpLasM1ypHY2nHNWS/KpfirgTghVqLIIlgPg1sUfWSCw8gR KU/02ijxqFRJhG4kC68doea8nV0XmabTG/aGUx9Hx14IRQgwZzCFigbX8XYDfZOJ R3NRk7hj7cv+8ryqxqWh/iLpTwNJeSFyAYn3+3DoNqOyPTik1DcmgmFJeEQIMVSo U1QK4g2iXwZwyI4PDJFd964D3EjlgGqUkzG00Le6MN3276Ac4w1gThGqoh+0qTil offmFJYwg5zprkSqHgoA8IIIpVbuHkv9AHCrf4H5JYFWwXaTStN7TnNI+MyPxIoz UKkq0di44NTgDaAxTX4pV8pxiCBnkKuRnr6sO6Yt/57uoUuN/fwqMBvBS5tltyiG aeBUpT6SYCW1tumX/2x/V90vUK/svxZ83qofSkj1xJPawW/Le8r7jrj/rROM1Fmc eNp2KOqiL+S5q2xw96Wy =oGxU -----END PGP SIGNATURE-----