English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Adobe Flash Player Two Vulnerabilities


Secunia ID

SA48281

CVE-ID

CVE-2012-0768, CVE-2012-0769

Release Date

06 Mar 2012

Last Change

10 Apr 2012

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Adobe Flash Player 10.x
Adobe Flash Player 11.x

Where

From remote

Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Description

Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a user's system.

1) An unspecified error in Matrix3D can be exploited to corrupt memory and may allow execution of arbitrary code.

2) An input validation error within the "histogram()" method of the "BitmapData" class can be exploited to disclose information.

The vulnerabilities are reported in the following versions:
* Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris.
* Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x.
* Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x.

Solution

Update to a fixed version.

Flash Player 11.1.102.62 and earlier:
Update to version 11.1.102.63.
http://www.adobe.com/go/getflash

Flash Player 11.1.102.62 and earlier - network distribution:
Update to version 11.1.102.63.
http://www.adobe.com/licensing/distribution

Flash Player 10.x:
Update to version 10.3.183.16.
http://kb2.adobe.com/cps/142/tn_14266.html

Flash Player 11.1.115.6 and earlier for Android 4.x:
Update to version 11.1.115.7.
https://market.android.com/details?id=com.adobe.flashplayer&hl=en

Flash Player 11.1.111.6 and earlier for Android 3.x and 2.x:
Update to version 11.1.111.7.
https://market.android.com/details?id=com.adobe.flashplayer&hl=en

Flash Player 11.1.102.62 and earlier for Chrome users:
Update to version 11.1.102.63.
http://googlechromereleases.blogspot.com/

Reported by

1) The vendor credits Tavis Ormandy, Google Security Team.
2) Fermin J. Serna, Google Security Team.

Original Advisory

Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-05.html

Fermin J. Serna:
http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf