Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Adobe Flash Player

Release date: August 14, 2012

Vulnerability identifier: APSB12-18

Priority: See table below

CVE number: CVE-2012-1535

Platform: Windows, Macintosh and Linux

Summary

Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271.
  • Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
  • Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79.

Affected software versions

  • Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux operating systems

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers and did not select the option to 'Allow Adobe to install updates' (Windows and Macintosh only), perform the check for each browser you have installed on your system.

Note: Adobe Flash Player for Android is not affected by the vulnerability addressed in this update.

Solution

Adobe recommends users update their software installations by following the instructions below:

  • Adobe recommends users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to the newest version 11.3.300.271 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows and Flash Player 11.3.x for Macintosh who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Windows and Macintosh users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.
  • Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79.
  • Adobe recommends users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238 by downloading it from the Adobe Flash Player Download Center.

Priority and Severity ratings

Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:

Product
Updated Version
Platform
Priority Rating
Adobe Flash Player 11.3.300.271 Windows
1
  11.3.300.271 Macintosh
2
  11.2.202.238 Linux
2


These updates address a critical vulnerability in the software.

Details

Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271.
  • Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
  • Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79.

Affected software

Recommended player update

Availability

Flash Player 11.3.300.270 and earlier for Windows and Macintosh

11.3.300.271

Flash Player Download Center

Flash Player 11.3.300.270 and earlier -
network distribution

11.3.300.271

Flash Player Licensing

Flash Player 11.2.202.236 and earlier for Linux

11.2.202.238

Flash Player Download Center

Flash Player 11.3.300.270 and earlier for Chrome users

11.3.300.271

Google Chrome Releases

Acknowledgments

Adobe would like to thank Alexander Gavrun through iDefense's Vulnerability Contributor Program for reporting this issue (CVE-2012-1535) and for working with Adobe to help protect our customers.