Adobe August 2012 Patch Tuesday Review

Adobe has release, the 14 August 2012, during his August Patch Tuesday, three security bulletins dealing with 26 vulnerabilities. All these security bulletins have a Critical severity rating and 23 of 26 vulnerabilities have a CVSS base score of 10.0.

APSB12-16 – Security update for Adobe Reader and Acrobat

APSB12-16 is concerning Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. 20 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. 18 of the 20 vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159 and CVE-2012-4160 have been discovered and privately reported by Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4147 (CVSS base score of 10.0), CVE-2012-4161 (CVSS base score of 7.5) and CVE-2012-4162 (CVSS base score f 7.5) have been discovered and privately reported by James Quirk.

CVE-2012-2051, with a CVSS base score of 10.0, has been discovered and privately reported by Mateusz Jurczyk of the Google Security Team.

CVE-2012-2049, with a CVSS base score of 10.0, has been discovered and privately reported by Pavel Polischouk of the Vulnerability Research team at TELUS Security Labs.

CVE-2012-2050, with a CVSS base score of 10.0, has been discovered and privately reported by an anonymous contributor working with Beyond Security’s SecuriTeam Secure Disclosure Program.

CVE-2012-4148, with a CVSS score of 10.0, has been discovered and privately reported by John Leitch at Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2012-1525, with a CVSS score of 10.0, has been discovered and privately reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

Despite the high number of fixed vulnerabilities, Adobe Reader for Linux has not been updated and they are still known vulnerabilities in the Windows and Macintosh versions. Adobe plan to release an out-of-band update for Adobe Reader for Linux before 27 August.

APSB12-17- Security update for Adobe Shockwave Player

APSB12-17 is concerning Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh. 5 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2043, CVE-2012-2046 and CVE-2012-2047 have been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2045, with a CVSS base score of 10.0, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-2044, with a CVSS base score of 10.0, has been discovered and privately reported by suto.

APSB12-18 – Security update for Adobe Flash Player

APSB12-18 is concerning Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux.

CVE-2012-1535, with a CVSS base score of 9.3, has been discovered exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. But since the 18 August a Metasploit module is available and doesn’t require to forge a malicious Word document. The Metasploit module is actually focusing on Windows XP SP3 and is still quiet unstable, but you should urgently update your Flash Player.