Year 2012 is soon over, and it is a good moment to do a quick review on Adobe Flash 2012 vulnerabilities, like the Oracle Java 2012 vulnerabilities review.

During year 2012, Adobe has publish ten Flash security bulletins, covering 68 vulnerabilities:

  • APSB12-03 was published the 15 February and has deal with 7 vulnerabilities. 2 of the vulnerabilities reported in this bulletin were exploited in the wild. CVE-2012-0754 was discovered by Alexander Gavrun and found exploited in the wild, after patch release, in March. CVE-2012-0767 was reported as being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message through a universal cross-site scripting vulnerability.
  • APSB12-05 was published the 5 March and has deal with 2 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-07 was published the 28 March and has deal with 4 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-09 was published the 4 May and has deal with 1 vulnerability. CVE-2012-0779 was reported as being exploited in the wild in active targeted attacks.
  • APSB12-14 was published the 8 Jun and has deal with 7 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-18 was published the 14 August and has deal with 1 vulnerability. CVE-2012-1535 was reported as being exploited in the wild in active targeted attacks.
  • APSB12-19 was published the 21 August and has deal with 8 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known. CVE-2012-4166 is considered as a duplicate entry of CVE-2012-4165.
  • APSB12-22 was published the 8 October and has deal with 29 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-24 was published the 6 November and has deal with 7 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-27 was published the 11 December and has deal with 3 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.

adobe-flash-cves-apsb12

On these 68 vulnerabilities:

  • 44 (64,7%) were reported by Google ! Adobe could thanks the guys of Google…
  • 5 (7,4%) were reported by Fortinet.
  • 4 (5.9%) were reported by Alexander Gavrun.
  • 4 (5.9%) were reported by Microsoft.
  • 8 (11.8%) were reported by other entities or security researchers.
  • 3 (4,4%) were reported by unknown entities or security researchers.

adobe-flash-cves-apsb12-reported-by

In term of CVSS base score repartition, 63 vulnerabilities (92,6%) have a score upper or equal to 7.0 and 5 vulnerabilities (7.4%) have a score upper or equal to 4.0 to 7.0. On the 63 vulnerabilities who have a CVSS score upper or equal to 7.0, 59 have a CVSS score of 10 !

adobe-flash-cves-apsb12-cvss-repartition

All my data’s are available by clicking on the following link.