==================================================================== CERT-Renater Note d'Information No. 2018/VULN395 _____________________________________________________________________ DATE : 22/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Flash Player versions prior to 31.0.0.153, Microsoft Edge, Microsoft Internet Explorer 11, Google Chrome. ===================================================================== https://helpx.adobe.com/security/products/flash-player/apsb18-44.html https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180030 _____________________________________________________________________ Security updates available for Adobe Flash Player (APSB18-44) Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player 31.0.0.148 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. This posting is provided “AS IS” with no warranties and confers no rights. _____________________________________________________________________ Security updates available for Flash Player | APSB18-44 Bulletin ID Date Published Priority APSB18-44 November 20, 2018 1 Summary Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player 31.0.0.148 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. Technical details about this vulnerability are publicly available. Affected Product Versions Product Version Platform Adobe Flash Player Desktop Runtime 31.0.0.148 and earlier versions Windows, macOS and Linux Adobe Flash Player for Google Chrome 31.0.0.148 and earlier versions Windows, macOS, Linux and Chrome OS Adobe Flash Player for Microsoft Edge and Internet Explorer 11 31.0.0.148 and earlier versions Windows 10 and 8.1 To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version: Product Version Platform Priority Availability Adobe Flash Player Desktop Runtime 31.0.0.153 Windows, macOS 1 Flash Player Download Center Flash Player Distribution Adobe Flash Player for Google Chrome 31.0.0.153 Windows, macOS, Linux, and Chrome OS 1 Google Chrome Releases Adobe Flash Player for Microsoft Edge and Internet Explorer 11 31.0.0.153 Windows 10 and 8.1 1 Microsoft Security Advisory Adobe Flash Player Desktop Runtime 31.0.0.153 Linux 3 Flash Player Download Center Note: Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux update to Adobe Flash Player 31.0.0.153 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 31.0.0.153 for Windows, macOS, Linux and Chrome OS. Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 31.0.0.153. Please visit the Flash Player Help page for assistance in installing Flash Player. [1] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted. Vulnerability details Vulnerability Category Vulnerability Impact Severity CVE Number Type Confusion Arbitrary code execution Critical CVE-2018-15981 ______________________________________________________________________ ******************************************************************** Title: Microsoft Security Advisory Notification Issued: November 20, 2018 ******************************************************************** Security Advisories Released or Updated on November 20, 2018 =================================================================== * Microsoft Security Advisory ADV180030 - ADV180030 | November 20, 2018 Flash Updates - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180030 - Reason for Revision: Information published. - Originally posted: November 20, 2018 - Updated: N/A - Version: 1.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================