English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Adobe Flash Player Multiple Vulnerabilities


Secunia ID

SA50354

CVE-ID

CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168, CVE-2012-4171, CVE-2012-5054

Release Date

22 Aug 2012

Last Change

25 Sep 2012

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Adobe AIR 3.x
Adobe Flash Player 11.x

Where

From remote

Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Description

Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a user's system.

1) An unspecified error can be exploited to corrupt memory.

2) An unspecified error can be exploited to corrupt memory.

3) An unspecified error can be exploited to corrupt memory.

4) An unspecified error can be exploited to corrupt memory.

5) An integer overflow error can be exploited to corrupt memory.

6) An error can lead to cross-domain information leaks.

7) A logic error exists when handling multiple dialogs within Firefox.

8) An integer overflow error in the "copyRawDataTo()" method in the Matrix3D class can be exploited to corrupt memory.

The vulnerabilities are reported in the following versions:
* Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh, and Linux
* Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
* Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
* Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
* Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
* Adobe AIR 3.3.0.3650 and earlier versions for Android

Solution

Update to a fixed version.

Flash Player 11.4.402.265 for Windows and Macintosh:
http://www.adobe.com/go/getflash

Flash Player 11.4.402.265 - network distribution:
http://www.adobe.com/licensing/distribution

Flash Player 11.2.202.238 for Linux:
http://www.adobe.com/go/getflash

Flash Player 11.1.115.17 for Android 4.x:
Update to devices that already have Flash Player installed prior to August 15, 2012.

Flash Player 11.1.111.16 for Android 3.x and 2.x:
Update to devices that already have Flash Player installed prior to August 15, 2012.

Flash Player 11.3.31.230 for Chrome users (Windows and Linux)
http://googlechromereleases.blogspot.com/

Flash Player 11.4.402.265 for Chrome users (Macintosh)
http://googlechromereleases.blogspot.com/

AIR 3.4.0.2540 for Windows and Macintosh:
http://get.adobe.com/air/

AIR 3.4.0.2540 SDK (includes AIR for iOS):
http://www.adobe.com/devnet/air/air-sdk-download.html

AIR 3.4.0.2540 for Android:
http://market.android.com/details?id=com.adobe.air
http://www.amazon.com/Adobe-Systems-AIR/dp/B004SRNH10/ref=sr_1_6?ie=UTF8&qid=1339095848&sr=8-6

Reported by

The vendor credits:
1) Xu Liu, Fortinet's FortiGuard Labs
2) Will Dormann, CERT
3, 4) Honggang Ren, Fortinet's FortiGuard Labs
5) Alexander Gavrun, iDefense VCP
6) Claudio Santambrogio, Opera Software
7) Attila Suszter
8) Reported by the vendor.

Original Advisory

Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-19.html