Adobe Flash 2012 Vulnerabilities Review

Year 2012 is soon over, and it is a good moment to do a quick review on Adobe Flash 2012 vulnerabilities, like the Oracle Java 2012 vulnerabilities review.

During year 2012, Adobe has publish ten Flash security bulletins, covering 68 vulnerabilities:

  • APSB12-03 was published the 15 February and has deal with 7 vulnerabilities. 2 of the vulnerabilities reported in this bulletin were exploited in the wild. CVE-2012-0754 was discovered by Alexander Gavrun and found exploited in the wild, after patch release, in March. CVE-2012-0767 was reported as being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message through a universal cross-site scripting vulnerability.
  • APSB12-05 was published the 5 March and has deal with 2 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-07 was published the 28 March and has deal with 4 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-09 was published the 4 May and has deal with 1 vulnerability. CVE-2012-0779 was reported as being exploited in the wild in active targeted attacks.
  • APSB12-14 was published the 8 Jun and has deal with 7 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-18 was published the 14 August and has deal with 1 vulnerability. CVE-2012-1535 was reported as being exploited in the wild in active targeted attacks.
  • APSB12-19 was published the 21 August and has deal with 8 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known. CVE-2012-4166 is considered as a duplicate entry of CVE-2012-4165.
  • APSB12-22 was published the 8 October and has deal with 29 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-24 was published the 6 November and has deal with 7 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.
  • APSB12-27 was published the 11 December and has deal with 3 vulnerabilities. None of them were reported as exploited in the wild and no public exploits are known.

adobe-flash-cves-apsb12

 

On these 68 vulnerabilities:

  • 44 (64,7%) were reported by Google ! Adobe could thanks the guys of Google…
  • 5 (7,4%) were reported by Fortinet.
  • 4 (5.9%) were reported by Alexander Gavrun.
  • 4 (5.9%) were reported by Microsoft.
  • 8 (11.8%) were reported by other entities or security researchers.
  • 3 (4,4%) were reported by unknown entities or security researchers.

adobe-flash-cves-apsb12-reported-by

 

In term of CVSS base score repartition, 63 vulnerabilities (92,6%) have a score upper or equal to 7.0 and 5 vulnerabilities (7.4%) have a score upper or equal to 4.0 to 7.0. On the 63 vulnerabilities who have a CVSS score upper or equal to 7.0, 59 have a CVSS score of 10 !

adobe-flash-cves-apsb12-cvss-repartition

 

All my data’s are available by clicking on the following link.

APSB12-27 – Adobe Flash December 2012 Security Bulletin Review

Adobe has release, the 11 November 2012, during his November Patch Tuesday, one Adobe Flash security bulletin dealing with 3 vulnerabilities. All these security bulletins have a Critical severity rating. All of these vulnerabilities have a 10.0 CVSS base score.

APSB12-27 – Security updates available for Adobe Flash Player

APSB12-27 is concerning :

  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)

CVE-2012-5676 (10.0 CVSS base score) has been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of theGoogle Security TeamCVE-2012-5677 (10.0 CVSS base score) has been discovered and reported by an anonymous contributor throughTipping Point’s Zero Day InitiativeCVE-2012-5678 (10.0 CVSS base score) have been discovered and reported by Tavis Ormandy of the Google Security Team.

Microsoft December 2012 Patch Tuesday Review

Microsoft has release, the 11 December 2012, during his December Patch Tuesday, two updated security advisories and seven security bulletins. On the seven security bulletins five of them has a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2785605 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB12-27.

Microsoft Security Advisory 2749655

MSA-2749655, release during October 2012, has been updated. The security advisory is regarding “Compatibility Issues Affecting Signed Microsoft Binaries” and the update added the KB2687627 and KB2687497 updates described in MS12-043, the KB2687501 and KB2687510 updates described in MS12-057, the KB2687508 update described in MS12-059, and the KB2726929 update described in MS12-060 to the list of available rereleases.

MS12-077 – Cumulative Security Update for Internet Explorer

MS12-077 security update, classified as Critical, allowing remote code execution, is the fix for three privately reported vulnerabilities. CVE-2012-4781 has a 0.0 CVSS base score (surely an error) and was discovered and privately reported by Rosario ValottaCVE-2012-4782 has a 10.0  CVSS base score and was discovered and privately reported by Rosario ValottaCVE-2012-4787 has a 10.0 CVSS base score and was discovered and privately reported by Fermin J. Serna of Google Inc.

Affected software are:

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10

MS12-078 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS12-078 security update, classified as Critical, allowing remote code execution, is fixing two vulnerabilities. CVE-2012-2556 has a 9.3 CVSS base score and was publicly disclosed. CVE-2012-4786 has a 10.0 CVSS base score and was discovered and privately reported by Eetu Luodemaa and Joni Vähämäki of Documill, working with the Chromium Security Rewards Program.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS12-079 – Vulnerability in Microsoft Word Could Allow Remote Code Execution

MS12-079 security update, classified as Critical, allowing remote code execution, is fixing one privately vulnerability. CVE-2012-2539 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous contributor, working with Beyond Security’s SecuriTeam Secure Disclosure program.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit editions)
  • Microsoft Office 2010 Service Pack 1 (64-bit editions)
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack Service Pack 2
  • Microsoft Office Compatibility Pack Service Pack 3

MS12-080 – Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

MS12-080 security update, classified as Critical, allowing remote code execution, is fixing three vulnerabilities. CVE-2012-3214 has a 2.1 CVSS base score and is associated with Oracle Outside In Technology component fixed in Oracle October 2012 CPUCVE-2012-3217 has a 2.1 CVSS base score and is associated with Oracle Outside In Technology component fixed in Oracle October 2012 CPUCVE-2012-4791 has a 3.5 CVSS base score and was discovered and privately reported by unknown security researcher.

Affected softwares are:

  • Microsoft Exchange Server 2007 Service Pack 3
  • Microsoft Exchange Server 2010 Service Pack 1
  • Microsoft Exchange Server 2010 Service Pack 2

MS12-081 – Vulnerability in Windows File Handling Component Could Allow Remote Code Execution

MS12-081 security update, classified as Critical, allowing remote code execution, is fixing one privately reported vulnerability. CVE-2012-4774 has a 10.0 CVSS base score and was discovered and privately reported by Lucas Apa of IOActive.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

MS12-082- Vulnerability in DirectPlay Could Allow Remote Code Execution

MS12-082 security update, classified as Important, allowing remote code execution, is fixing one privately reported vulnerability. CVE-2012-1537 has a 9.3 CVSS base score and was discovered and privately reported by Aniway, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-083- Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass

MS12-083 security update, classified as Important, allowing security feature bypass, is fixing one vulnerability. CVE-2012-2549 has a 6.8 CVSS base score and was discovered and privately reported by an anonymous security researcher.

Affected softwares are:

  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2012