Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Thu, 16 Feb 2012 15:12:47 +0100
Type : VULN
Sujet : CERT-Renater : 2012/VULN082 (Adobe : Security update available for Adobe Flash Player)
====================================================================
                                          CERT-Renater

                              Note d'Information No. 2012/VULN082
_____________________________________________________________________

DATE                : 16/02/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Adobe Flash Player versions prior to
                          11.1.102.62, 11.1.115.6 for Android,
                          11.1.111.6 for Android.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb12-03.html
_______________________________________________________________________

Security update available for Adobe Flash Player

Release date: February 15, 2012

Vulnerability identifier: APSB12-03

CVE number: CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754,
CVE-2012-0755, CVE-2012-0756, CVE-2012-0767

Platform: All Platforms

SUMMARY

This update addresses critical vulnerabilities in Adobe Flash Player
11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and
Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and
2.x. These vulnerabilities could cause a crash and potentially allow an
attacker to take control of the affected system. This update also
resolves a universal cross-site scripting vulnerability that could be
used to take actions on a user's behalf on any website or webmail
provider, if the user visits a malicious website. There are reports
that this vulnerability (CVE-2012-0767) is being exploited in the wild
in active targeted attacks designed to trick the user into clicking on
a malicious link delivered in an email message (Internet Explorer on
Windows only).

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash
Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier
versions on Android 4.x devices should update to Adobe Flash Player
11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions
for Android 3.x and earlier versions should update to Flash Player
11.1.111.6.


AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh,
Linux and Solaris operating systems Adobe Flash Player 11.1.112.61 and
earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and
earlier versions for Android 3.x and 2.x

To verify the version of Adobe Flash Player installed on your system,
access the About Flash Player page, or right-click on content running in
Flash Player and select "About Adobe (or Macromedia) Flash Player" from
the menu. If you use multiple browsers, perform the check for each
browser you have installed on your system.

To verify the version of Adobe Flash Player for Android, go to Settings >
Applications > Manage Applications > Adobe Flash Player x.x.

SOLUTION

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier
versions for Windows, Macintosh, Linux and Solaris update to the newest
version 11.1.102.62 by downloading it from the Adobe Flash Player Download
Center.
Windows users and users of Adobe Flash Player 10.3.83.14 or later for
Macintosh can install the update via the update mechanism within the
product when prompted.

For users who cannot update to Flash Player 11.1.102.62, Adobe has
developed a patched version of Flash Player 10.x, Flash Player 10.3.83.14,
which can be downloaded here.

Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x
devices should update to Adobe Flash Player 11.1.115.6 by browsing to the
Android Marketplace on an Android device. Users of Adobe Flash Player
11.1.111.5 and earlier versions for Android 3.x and earlier versions should
update to Flash Player 11.1.111.6 by browsing to the Android Marketplace
on an Android device.


SEVERITY RATING

Adobe categorizes these as critical updates and recommends users update
their installations to the newest versions.


DETAILS

This update addresses critical vulnerabilities in Adobe Flash Player
11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and
Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and
2.x. These vulnerabilities could cause a crash and potentially allow an
attacker
to take control of the affected system. This update also resolves a
universal cross-site scripting vulnerability that could be used to take
actions on a user's behalf on any website or webmail provider, if the user
visits a malicious website. There are reports that this vulnerability
(CVE-2012-0767) is being exploited in the wild in active targeted attacks
designed to trick the user into clicking on a malicious link delivered in
an email message (Internet Explorer on Windows only).

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier
versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash
Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier
versions on Android 4.x devices should update to Adobe Flash Player
11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions
for Android 3.x and earlier versions should update to Flash Player
11.1.111.6.

This update resolves a memory corruption vulnerability that could lead to
code execution (Windows ActiveX control only) (CVE-2012-0751).

This update resolves a type confusion memory corruption vulnerability that
could lead to code execution (CVE-2012-0752).

This update resolves an MP4 parsing memory corruption vulnerability that
could lead to code execution (CVE-2012-0753).

This update resolves a memory corruption vulnerability that could lead to
code execution (CVE-2012-0754).

This update resolves a security bypass vulnerability that could lead to
code execution (CVE-2012-0755).

This update resolves a security bypass vulnerability that could lead to
code execution (CVE-2012-0756).

This update resolves a universal cross-site scripting vulnerability that
could be used to take actions on a user's behalf on any website or webmail
provider, if the user visits a malicious website (CVE-2012-0767).


Affected software

Recommended player update


Availability

Flash Player 11.1.102.55 and earlier

11.1.102.62

Flash Player Download Center

Flash Player 11.1.102.55 and earlier -
network distribution

11.1.102.62

Flash Player Licensing

Flash Player 11.1.112.61 and earlier
for Android 4.x

11.1.115.6
Android Marketplace
(browse to on an Android device)

Flash Player 11.1.111.5 and earlier
for Android 3.x and 2.x

11.1.111.6
Android Marketplace
(browse to on an Android device)

Flash Player 11.1.102.55 and earlier
for Chrome users

11.1.102.62
Google Chrome Releases


ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers:

Xu Liu of Fortinet's FortiGuard Labs (CVE-2012-0751)
Bo Qu of Palo Alto Networks (CVE-2012-0752)
Alexander Gavrun through TippingPoint's Zero Day Initiative (CVE-2012-0753,
   CVE-2012-0754)
Eduardo Vela Nava of the Google Security Team (CVE-2012-0755)
Google (CVE-2012-0767)


======================================================================

=========================================================
Les serveurs de référence du CERT-Renater
http://www.cru.fr/securite
http://www.renater.fr
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================

[An attachment of type application/pkcs7-signature was included here]