-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0130 Title: Security Updates Available for Adobe Flash Player [1] Version history: 19.11.2012 Initial publication Summary ======= Adobe has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. These updates address critical vulnerabilities in the software. CVE numbers: CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280 Vulnerable systems ================== Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh Adobe Flash Player 11.2.202.243 and earlier versions for Linux Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. Original Details ================ These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-5279). These updates resolve a security bypass vulnerability that could lead to code execution (CVE-2012-5278). What can you do? ================ Adobe recommends users update their product installations to the latest versions[1]: Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110. Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251. Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux. Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows. Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27. Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24. Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb12-24.html [2] http://www.adobe.com/products/flash/about/ [3] http://helpx.adobe.com/air/kb/determine-version-air-runtime.html [4] http://cve.mitre.org/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQqgiwAAoJEPpzpNLI8SVoDjoP/1IlRyMPC95fbKafXnHpUUNx +ayuQtfIexD496c8sniT1uQVb92XlgLgnACu0GbEUwkQqQiG4Z4EltRXxqNc9FVD oSIL1Ecs5j7fKSSsRxdn2y/gbfqTlWCXATVO4QOA+3QnNtOdu3CQBFovAL8dPyqZ VMtZVrimdsXWr9v3XXNYIohkv4kJCs7ISR5RDscivog7EVMzFQw1bJhMF0PqQKXZ Vp93upFLDfT2WY5hd/yiZi4pjl6GYI+/mt5duQw2Lmr7d/Xa7sP8vnTScHo7tAmV T3VwewvQ/o3wFp3hrtu+92by6xn1HwHPzo4dJQKyvWFs4q5gLv3R4Jg+KI0AmkSV Tdn9MVldTwudA5j8Ss5sEFB9lM8cgLHfRePVqVuKvh9N8cfXq7wE60rbDKrtQcUm d4MiwhRymXFVNNFiF9+r5Eh6LkNBJEjeztU4HLvFkU9VY67n5sAX9s/7sKmPVaRs /h2WeNRTm5eLcez+8mkLd9dE8+LG2Y10TGg7nBlM8C56NGUd1k35ar0XEEMbBzsB ngRENl1ztMgJG+0bPDt8G7Z2YqX3FT5NW3O76Pui6ttVd3cZHvwArq90RgFaDoKQ zrsNlKeIuq+2YvZKNJskHt26BQ/SeEFLIHc0zVzSbYBgbo3ZhH0cZkrUsnShzyoY 1myoq0szbGN22JeVGcBh =sRgL -----END PGP SIGNATURE-----