Tech Talk

[Flash click-jacking exploit]

FYI...

Flash click-jacking exploit...
- https://isc.sans.edu/diary.html?storyid=11857
Last Updated: 2011-10-21 - "... a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel. The original attack "framed" the entire Flash control page. To prevent the attack, Adobe added frame busting code to the settings page. Feross' attack doesn't frame the entire page, but instead includes just the SWF file used to adjust the settings, bypassing the frame busting javascript in the process.

Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers. Details from Adobe:
- http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html
"... We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website..."
> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
___

- http://blogs.adobe.com/psirt/2011/10/next-quarterly-security-update-for-adobe-reader-and-acrobat.html
October 21, 2011 - "The next quarterly security update for Adobe Reader and Acrobat has been rescheduled for January 10, 2012."

 

[UNIX Adobe Reader v9.4.6 released]

FYI...

UNIX Adobe Reader v9.4.6 released
- https://www.adobe.com/support/security/bulletins/apsb11-24.html
Revisions:
November 7, 2011 - Added information on UNIX version
October 21, 2011 - Changed date of next quarterly security update from December 13, 2011 to new scheduled date of January 10, 2012
September 21, 2011 - Added information on Security Bulletin APSB11-26
September 19, 2011 - Added additional Acknowledgment for CVE-2011-2438
September 13, 2011 - Bulletin released
"... Adobe categorizes these as critical updates...
Adobe recommends users of Adobe Reader 9.4.5 and earlier versions for UNIX update to Adobe Reader 9.4.6... Adobe Reader users on UNIX can find the appropriate update here:
http://preview.tinyurl.com/7x6ywwz ..."

 

[Shockwave v11.6.3.633 released]

FYI...

Shockwave v11.6.3.633 released
- https://www.adobe.com/support/security/bulletins/apsb11-27.html
November 8, 2011
CVE number: CVE-2011-2446, CVE-2011-2447, CVE-2011-2448, CVE-2011-2449
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633... available here:
- http://get.adobe.com/shockwave/ ..."
___

- http://www.securitytracker.com/id/1026288
Date:  Nov 8 2011
CVE Reference: CVE-2011-2446, CVE-2011-2447, CVE-2011-2448, CVE-2011-2449
Impact: Execution of arbitrary code via network, User access via network
Version(s): 11.6.1.629 and prior
... The vendor has issued a fix (11.6.3.633)...

- https://secunia.com/advisories/46667/
Release Date: 2011-11-09
Criticality level: Highly critical
Impact: System access
Where: From remote ...
... vulnerabilities are reported in versions 11.6.1.629 and prior.
Solution: Update to version 11.6.3.633...

 

[Flash Player v11.1.102.55 || AIR v3.1.0.4880 released]

FYI...

Flash Player v11.1.102.55 || AIR v3.1.0.4880 released
- https://www.adobe.com/support/security/bulletins/apsb11-28.html
November 10, 2011 - "Critical vulnerabilities have been identified in Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.55. Users of Adobe Flash Player 11.0.1.153 and earlier versions for Android should update to Adobe Flash Player 11.1.102.59 for Android.
Users of Adobe AIR 3.0 for Windows, Macintosh, and Android should update to Adobe AIR 3.1.0.4880...
For users who cannot update to Flash Player 11.1.102.55, Adobe has developed a patched version of Flash Player 10, Flash Player 10.3.183.11*...
- http://kb2.adobe.com/cps/142/tn_14266.html
Users of Adobe Flash Player 11.0.1.153 and earlier versions for Android should update to Adobe Flash Player 11.1.102.59 for Android by browsing to the Android Marketplace on an Android device."
CVE number: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
Platform: All Platforms

Release notes: http://kb2.adobe.com/cps/923/cpsid_92359.html#main_new_features
___

Flash downloads: https://www.adobe.com/special/products/flashplayer/fp_distribution3.html
Flash Player 11 (64 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_64bit.exe
Flash Player 11 (32 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
Firefox, other Plugin-based browsers: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
*Flash v10.3.183.11:
IE:
http://download.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe
Firefox v3.6.x, some other browsers:
http://download.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_10.exe

Flash test site: http://www.adobe.com/software/flash/about/
___

AIR latest version is available here: http://get.adobe.com/air/
___

- https://secunia.com/advisories/46818/
Release Date: 2011-11-11
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
... vulnerabilities are reported in the following products:
* Adobe Flash Player versions 11.0.1.152 and prior for Windows, Macintosh, Linux, and Solaris
* Adobe Flash Player versions 11.0.1.153 and prior for Android
* Adobe AIR versions 3.0 for Windows, Macintosh, and Android
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb11-28.html

- http://www.securitytracker.com/id/1026314
Date: Nov 11 2011
Impact: Execution of arbitrary code via network, User access via network...
Fix Available: Yes...
Version: 11.0.1.152 and prior...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2445
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2450
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2451
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2452
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2453
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2454
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2455
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2456
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2457
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2458
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2459
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2460
CVSS v2 Base Score: 10.0 (HIGH)
"... Flash Player before 10.3.183.11 and 11.x before 11.1.102.55..."

.

[Adobe Flex SDK security update available]

FYI...

Adobe Flex SDK security update available
- https://www.adobe.com/support/security/bulletins/apsb11-25.html
CVE number: CVE-2011-2461
Platform: Windows, Macintosh and Linux
November 30, 2011 - "... An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:
 All Web-based (-not- AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A and 3.6) may be vulnerable.
 Web-based (-not- AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.
 Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable.  To determine whether an application is vulnerable, customers should use the SWF patching tool described in the tech note*.
This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note* ..."
* http://www.adobe.com/go/flexsecuritytechnote
___

- https://secunia.com/advisories/47053/
Release Date: 2011-12-01
Impact: Cross Site Scripting
Where: From remote
CVE Reference: CVE-2011-2461
Original Advisory: Adobe (APSB11-25):
http://www.adobe.com/support/security/bulletins/apsb11-25.html
http://kb2.adobe.com/cps/915/cpsid_91544.html

- http://www.securitytracker.com/id/1026361
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2461
Date: Dec 1 2011
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Adobe Flex application, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has issued a fix. The vendor recommends that users verify their SWF applications to ensure they are not affected.
The vendor's advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb11-25.html

 

[ColdFusion - hotfix]

FYI...

ColdFusion - hotfix...
- https://www.adobe.com/support/security/bulletins/apsb11-29.html
December 13, 2011
CVE number: CVE-2011-2463, CVE-2011-4368
"Summary: Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site scripting attack. Adobe recommends users update their product installation...
Affected software versions: ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/925/cpsid_92512.html ..."

- http://www.securitytracker.com/id/1026405
Dec 13 2011

 

[Adobe Reader/Acrobat v9.4.7 released]

FYI...

- https://www.adobe.com/support/security/bulletins/apsb12-01.html
January 6, 2012 - "Adobe is planning to release updates for Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh to resolve critical security issues. These updates will include fixes for CVE-2011-2462 and CVE-2011-4369... available on Tuesday, January 10, 2012..."
___

Adobe Reader/Acrobat v9.4.7 released
- https://www.adobe.com/support/security/bulletins/apsb11-30.html
Release date: December 16, 2011
CVE numbers:
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2462
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4369
CVSS v2 Base Score: 10.0 (HIGH)
"... Reader and Acrobat 9.x before 9.4.7... as exploited in the wild in December 2011..."
"... updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier... update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier... update to Adobe Acrobat 9.4.7... Users can utilize the product's update mechanism..."
___

- http://www.symantec.com/security_response/threatconlearn.jsp
Updated: Dec 21 - "... For the period of December 8, 2011 through December 20, 2011, Symantec intelligence products have detected a total of -780- attempted exploits of CVE-2011-2462*..."
___

- https://secunia.com/advisories/47133/
Last Update: 2011-12-16
Criticality level: Extremely critical
Solution: Update to version 9.4.7 for Windows. Fixes are scheduled for Adobe Reader/Acrobat X and Adobe Reader for Unix 9.x for January 10, 2012...

- http://h-online.com/-1397440
17 December 2011

 

[Adobe Black Tuesday]

FYI...

Adobe Black Tuesday
- https://isc.sans.edu/diary.html?storyid=12364
Last Updated: 2012-01-10 19:38:39 UTC - "Adobe has released 1 bulletin today (Reader & Acrobat:  Update to 10.1.2 or 9.5) ...
- http://www.adobe.com/support/security/bulletins/apsb12-01.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2462 - 10.0 (HIGH)
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4369 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2470 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4371 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4372 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4373 - 7.5 (HIGH)
Critical ... Users can utilize the product's update mechanism... Help > Check for Updates..."

- https://secunia.com/advisories/45852/
Last Update: 2012-01-16
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 9.5 or 10.1.2.

 

[Shockwave Player v11.6.4.634 released]

FYI...

Shockwave Player v11.6.4.634 released
- https://www.adobe.com/support/security/bulletins/apsb12-02.html
Feb 14, 2012
CVE number: CVE-2012-0757, CVE-2012-0758, CVE-2012-0759, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764, CVE-2012-0766
- http://web.nvd.nist.gov/view/vuln/search - (ALL rated CVSS Severity: 10.0 HIGH)
Platform: Windows and Macintosh
Summary: This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.3.633 and earlier versions update to Adobe Shockwave Player 11.6.4.634
... available here: http://get.adobe.com/shockwave/ .

Security update available for RoboHelp for Word
* https://www.adobe.com/support/security/bulletins/apsb12-04.html
February 14, 2012
CVE number: CVE-2012-0765
Platform: Windows
Summary: This update addresses an important vulnerability in RoboHelp 9 (or -8-) for Word on Windows. A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word. Adobe recommends users update their product installation using the instructions (at the URL above*)...

 

[Flash Player v11.1.102.62 released]

FYI...

Flash Player v11.1.102.62 released
- https://www.adobe.com/support/security/bulletins/apsb12-03.html
Feb 15, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0751
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0752
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0753
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0754
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0755
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0756
( -ALL- CVSS v2 Base Score: 10.0 HIGH )
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0767 - 4.3  Last revised: 02/25/2012
Platform: All Platforms
Summary: This update addresses critical vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6... For users who cannot update to Flash Player 11.1.102.62, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.15...

Download
>> https://www.adobe.com/products/flashplayer/distribution3.html

- https://market.android.com/details?id=com.adobe.flashplayer&hl=en
Flash Player Android...
___

- https://secunia.com/advisories/48033/
Release Date: 2012-02-16
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
...  reportedly being actively exploited in targeted attacks.
Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb12-03.html

- http://www.securitytracker.com/id/1026694
Date: Feb 16 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...

 

[Flash Player v11.1.102.63 critical update]

FYI...

Flash Player v11.1.102.63 critical update
- https://www.adobe.com/support/security/bulletins/apsb12-05.html
March 5, 2012
CVE number:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0768 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0769 - 5.0
Platform: All Platforms
Summary: "These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.63. Users of Adobe Flash Player 11.1.115.6 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.7. Users of Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.7... For users who cannot update to Flash Player 11.1.102.63, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.16..."
___

Download:

The normal distribution site has been updated to the latest versions (@ 3.06.2012 15:45est):
- https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/
___

- https://secunia.com/advisories/48281/
Release Date: 2012-03-06
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote...
Solution: Update to a fixed version...

- http://www.securitytracker.com/id/1026761
Date: Mar 6 2012
CVE Reference: CVE-2012-0768, CVE-2012-0769
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): prior to 11.1.102.63; prior to 11.1.111.7 and 11.1.115.7 for Android

   

[Red Hat updt - Flash-plugin]

FYI...

Red Hat updt - Flash-plugin
- https://secunia.com/advisories/48295/
Release Date: 2012-03-07
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Software: Red Hat Enterprise Linux Desktop Supplementary (v. 6), Linux Server Supplementary (v. 6), Linux Workstation Supplementary (v. 6), RHEL Desktop Supplementary (v. 5 client), RHEL Supplementary (v. 5 server)
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0768 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0769 - 5.0
Original Advisory: RHSA-2012:0359-01:
https://rhn.redhat.com/errata/RHSA-2012-0359.html
"... upgrades Flash Player to version 10.3.183.16..."

 

[ColdFusion security update - Hotfix available]

FYI...

ColdFusion security update - Hotfix available
- https://www.adobe.com/support/security/bulletins/apsb12-06.html
March 13, 2012 - "... important vulnerability in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. This vulnerability could lead to a denial of service attack using a hash algorithm collision. Adobe has provided a solution to address the reported vulnerability. It is recommended that users update their product installation using the instructions provided in the "Solution" section... This update resolves a denial of service attack using a hash algorithm collision ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0770 )...
Affected software versions: ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ..."

- https://secunia.com/advisories/48393/
Release Date: 2012-03-14

 

[Flash Player v11.2.202.228 released]

FYI...

Flash Player v11.2.202.228 released
- https://www.adobe.com/support/security/bulletins/apsb12-07.html
March 28, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0772 - 10.0 (HIGH)
Last revised: 03/29/2012
"Summary: An unspecified ActiveX control in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228, and AIR before 3.2.0.2070..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0773 - 10.0 (HIGH)
Last revised: 03/29/2012
"Summary: The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228, and AIR before 3.2.0.2070..."
Platform: All Platforms
Summary: These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system...
Solution: Adobe recommends users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.228... Users of Adobe Flash Player 11.1.102.63 and earlier versions for Solaris should update to Adobe Flash Player 11.2.202.223... Windows users and users of Adobe Flash Player 10.3.183.16 or later for Macintosh can install the update via the update mechanism within the product when prompted. For users who cannot update to Flash Player 11.2.202.228, Adobe has developed a patched version of Flash Player 10.3, Flash Player 10.3.183.18... Android 3.x and earlier versions should update to Flash Player 11.1.111.8 by browsing to the Android Marketplace on an Android device. Users of Adobe AIR 3.1.0.4880 for Windows, Macintosh and Android should update to Adobe AIR 3.2.0.2070...

Download: https://www.adobe.com/products/flashplayer/distribution3.html

AIR 3.2.0.2070: AIR Download Center: http://get.adobe.com/air/

Android Marketplace: https://play.google.com/store/apps/details?id=com.adobe.flashplayer&hl=en

Android Marketplace: https://play.google.com/store/apps/details?id=com.adobe.air

Release Notes | Flash Player 11.2, AIR 3.2:
- http://helpx.adobe.com/flash-player/release-note/release-notes-flash-player-11_20120305.html
___

Flash test site: http://www.adobe.com/software/flash/about/
___

Critical Security Update for Adobe Flash Player
- http://atlas.arbor.net/briefs/index#-330930387
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Adobe releases a critical update for Flash Player, and also rolls in a more functional automatic update process.
Analysis: Flash has been hit hard by malware authors and use for all sorts of attacks. In the past, it's patching mechanism has been flawed and difficult to use, especially for the average computer user. Their new background update function* should make this easier.
Source: https://krebsonsecurity.com/2012/03/critical-security-update-for-adobe-flash-player-2/
* http://download.windowssecrets.com/images/wsn/W20120329-PW-Flash.jpg

Flash Player / AIR vulns...
- https://secunia.com/advisories/48623/
Release Date: 2012-03-29
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2012-0772, CVE-2012-0773
Solution: Update to a fixed version...
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb12-07.html

- http://www.securitytracker.com/id/1026859
CVE Reference: CVE-2012-0772, CVE-2012-0773
Date: Mar 28 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): 11.1.102.63 and prior versions...
Solution: The vendor has issued a fix (11.2.202.228 for Windows, Mac, and Linux; 11.2.202.223 for Solaris; 11.1.111.8 for Android 3.x).

 

[Adobe Reader/Acrobat security updates available]

FYI...

Adobe Reader/Acrobat security updates available
- https://www.adobe.com/support/security/bulletins/apsb12-08.html#Ratings
April 10, 2012
CVE numbers: CVE-2012-0774, CVE-2012-0775, CVE-2012-0776, CVE-2012-0777
"... Adobe released security updates for Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.2) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.3). For users of Adobe Reader 9.5 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.3), Adobe has made available the update Adobe Reader 9.5.1. Adobe recommends users of Adobe Reader 9.4.6 and earlier versions for Linux update to Adobe Reader 9.5.1. Adobe recommends users of Adobe Acrobat X (10.1.2) for Windows and Macintosh update to Adobe Acrobat X (10.1.3). Adobe recommends users of Adobe Acrobat 9.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.5.1...
Solution: Adobe recommends users update their software installations by following the instructions below:
- Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
- Adobe Reader users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
- Adobe Reader users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
- Adobe Reader users on Linux can find the appropriate update here: ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/
- Adobe Acrobat: Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
- Acrobat Standard and Pro users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
- Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
- Acrobat Pro users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ..."
___

- http://www.securitytracker.com/id/1026908
Date: Apr 10 2012
CVE Reference: CVE-2012-0774, CVE-2012-0775, CVE-2012-0776, CVE-2012-0777
Impact: Execution of arbitrary code via network, User access via network
Version(s): 9.5 and prior versions; 10.1.2 and prior versions

- https://secunia.com/advisories/48733/
Release Date: 2012-04-11
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote...
... more information:
- https://secunia.com/advisories/48033/
- https://secunia.com/advisories/48281/
- https://secunia.com/advisories/48623/
Solution: Apply updates...