-
Old Adobe updates/advisories
FYI...
- http://www.securityfocus.com/news/11511
2008-03-28 - "Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears.. While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals... Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds... until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users... Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack..."
* http://www.adobe.com/devnet/flashpla...ty_update.html
"Adobe is planning to release a security update for Flash Player 9 in April 2008 to strengthen the security of Adobe Flash Player for our customers and end users... This security update will make the optional socket policy file changes introduced in Flash Player 9,0,115,0 mandatory..."
:fear::spider:
-
Flash Player version 9.0.124.0 released
FYI...
Flash Player version 9.0.124.0 released
- http://www.adobe.com/shockwave/downl...ShockwaveFlash
APSB08-11 Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/securit...apsb08-11.html
04/08/2008 - "Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system...
Affected software versions:
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier..."
Severity rating:
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."
Installation instructions:
- http://www.adobe.com/products/flashp.../instructions/
Test:
- http://www.adobe.com/products/flash/about/
- http://secunia.com/advisories/28083/
Release Date: 2008-04-09
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Flash Player 9.x ...
...The vulnerabilities are reported in versions prior to 9.0.124.0...
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5275
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1655 ...
:fear:
-
Flash player exploit in the wild
FYI...
- http://blogs.zdnet.com/security/?p=1236
June 3, 2008 - "...Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level... the statistics confirmed the low percentage of up-to-date Flash players.
Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51
Remember, this is still 7 weeks after the update was released... After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability... How does the average user know that they should update Flash and how to do so? By reading the trade press? Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible. As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn..."
- http://www.shadowserver.org/wiki/pmw...endar.20080527
May 27, 2008
:fear::spider::fear:
-
Flash Player workaround - Clickjacking issue
FYI...
- http://www.adobe.com/support/securit...apsa08-08.html
Release date: October 7, 2008
Vulnerability identifier: APSA08-08
Platform: All Platforms
Affected Software: Adobe Flash Player 9.0.124.0 and earlier
...To prevent this potential issue, customers can change their Flash Player settings as follows:
1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documen...manager02.html
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and/or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documen...manager06.html ...
---
- http://blogs.adobe.com/psirt/2008/10..._advisory.html
October 7, 2008
- http://secunia.com/advisories/32163
Release Date: 2008-10-08
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4503
Last revised: 10/11/2008
//
-
Flash Player v10.0.12.36 released
FYI...
Adobe Flash Player v10.0.12.36 released
- http://www.adobe.com/go/getflashplayer
October 15, 2008
Understanding the security changes in Flash Player 10
- http://www.adobe.com/devnet/flashpla...ges_print.html
Modified: 15 October 2008
Flash Player installation instructions
- http://www.adobe.com/products/flashp.../instructions/
...Installation instructions for Windows Internet Explorer... "may require administrative access to your PC..."
...Installation instructions for Windows non-Internet Explorer... "may require administrative access to your PC..."
Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/securit...apsb08-18.html
Release date: October 15, 2008 ...
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform...
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier...
- http://www.us-cert.gov/current/archi...y_bulletin_for
October 16, 2008
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-4324
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-6243
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-3873
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4401
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4503
Test your current install: http://www.adobe.com/products/flash/about/
:fear::spider:
-
Flash Player v9.0.151.0 / v10.0.12.36 updates...
FYI...
Flash Player multiple vulns - updates available
- http://www.adobe.com/support/securit...apsb08-20.html
Release date: November 5, 2008
Vulnerability identifier: APSB08-20
CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823 ...
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page* ...
* http://www.adobe.com/products/flash/about/
Solution: Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center**, or by using the auto-update mechanism within the product when prompted.
** http://www.adobe.com/go/getflashplayer
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link***.
*** http://www.adobe.com/go/kb406791
Severity rating: Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36...
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4818
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4819
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4820
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4821
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4822
http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4823
:fear:
-
FYI...
Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0
- http://www.adobe.com/support/securit...apsb08-22.html
Release date: November 17, 2008
Vulnerability identifier: APSB08-22
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4824
Platform: All Platforms
:fear:
-
Linux Flash player update...
FYI...
Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
- http://www.adobe.com/support/securit...apsb08-24.html
Release date: December 17, 2008
Vulnerability identifier: APSB08-24
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5499
Platform: Linux ...
Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center*, or by using the auto-update mechanism within the product when prompted.
* http://get.adobe.com/flashplayer
For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0**, which can be downloaded from the following link...
http://www.adobe.com/go/kb406791
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 10.0.15.3...
SUSE update for flash-player
- http://secunia.com/advisories/33294/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Original Advisory: SUSE-SA:2008:059:
http://lists.opensuse.org/opensuse-s.../msg00006.html
Red Hat update for flash-plugin
- http://secunia.com/advisories/33267/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-1047.html ...
:fear:
-
Acrobat [Reader] 0-Day on the loose
FYI...
Acrobat [Reader] 0-Day On the Loose
- http://www.shadowserver.org/wiki/pmw...endar.20090219
2009-02-19 - "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9)... We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript ... Adobe has since issued a public advisory* about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after..."
* http://www.adobe.com/support/securit...apsa09-01.html
February 19, 2009 - "...Adobe categorizes this as a critical issue..."
- http://blogs.adobe.com/psirt/2009/02...bat_issue.html
February 19, 2009 09:18 PM
:fear::mad:
-
Acrobat Reader 0-Day exploit in the wild...
More on this:
- http://preview.tinyurl.com/bp67qy
February 20, 2009 Security Fix - "...In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable...
Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future." Also, Symantec has now posted its writeup on this flaw*, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations..."
* http://preview.tinyurl.com/cajqre
02-20-2009 Symantec Security Response Blog
* http://preview.tinyurl.com/cqs68s
February 12, 2009 Symantec Security Response - "... The Trojan opens a backdoor on the compromised computer. It then contacts the following remote host in order to steal information from the compromised computer: js001 .3322 .org ..."
- http://secunia.com/advisories/33901/
Release Date: 2009-02-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
:fear::fear:
-
Acrobat Reader 0-Day exploit in the wild...
FYI...
- http://www.shadowserver.org/wiki/pmw...endar.20090221
21 February 2009 - "...Work Arounds & Windows Group Policy Object (GPO)
As we mentioned the main work around for this is to disable JavaScript. Acrobat will still crash but the exploit should fail. While all platforms are reportedly affected, we should note that we have only seen active exploits for Windows and not Linux or OS X platforms. Once again to disable JavaScript in Acrobat [Reader], take the following steps:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
Elazar Broad also wrote into us the other day and provided a GPO that can be used to disable JavaScript for Adobe Acrobat [Reader]. We have not tested it but you can grab it by clicking here*. Basically these are the keys of interest (from HKEY_CURRENT_USER):
Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Setting the DWORD "bEnableJS" to 0 will disable JavaScript...
Details Released
We knew it would not take too long - the details of the vulnerable function and enough information to potentially recreate the exploit have now been published publicly... Expect that a wider set of attackers will now start using this exploit in the near future before the patch is released. In other words... DISABLE JAVASCRIPT and patch as soon as it becomes available!"
* http://www.shadowserver.org/wiki/upl...ndar/adobe.txt
- http://www.kb.cert.org/vuls/id/905281
Last Updated: 2009-02-23
:fear:
-
Flash Player v10.0.22.87 released
FYI...
Flash Player v10.0.22.87 released
- http://www.adobe.com/support/securit...apsb09-01.html
Release date: February 24, 2009
Vulnerability identifier: APSB09-01
CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521
Platform: All Platforms...
Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.22.87*...
* http://www.adobe.com/go/getflash -or- http://get.adobe.com/flashplayer/otherversions/
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link**...
** http://www.adobe.com/go/kb406791
Version test for Adobe Flash Player
- http://kb.adobe.com/selfservice/view...nalId=tn_15507
:fear::fear:
-
Security Updates available for Adobe Reader 9...
FYI...
Security Updates available for Adobe Reader 9 and Acrobat 9
- http://www.adobe.com/support/securit...apsb09-03.html
Release date: March 10, 2009
Vulnerability identifier: APSB09-03
CVE number: CVE-2009-0658
Platform: All Platforms...
Affected software versions:
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions
Solution: Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
- http://get.adobe.com/reader/
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
- http://www.adobe.com/support/downloa...jsp?ftpID=4375
- http://www.adobe.com/support/downloa...jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloa...jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloa...jsp?ftpID=4374
Severity rating:
Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations...
> http://blogs.adobe.com/psirt/2009/03...obat_91_u.html
:fear:
-
Adobe Reader v8.1.4, v7.11 released
FYI...
- http://isc.sans.org/diary.html?storyid=6034
Last Updated: 2009-03-18 20:04:58 UTC - "Adobe has released security advisory APSB09-04* for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available..."
* http://www.adobe.com/support/securit...apsb09-04.html
Release date: March 18, 2009 - "... Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com/support/downloa...atform=Windows
http://www.adobe.com/support/downloa...form=Macintosh ..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0658
Last revised: 03/06/2009
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0927
Last revised: 03/19/2009
- http://www.eset.com/threat-center/blog/?p=805
March 20, 2009 - "...updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it..."
:fear:
-
2,305 drive-by's using PDFs...
FYI...
- http://www.pcworld.com/article/16357..._security.html
Apr 21, 2009 - "... In 2008, from Jan. 1 through April 16, F-Secure saw PDFs used in 128 dangerous drive-by attacks. This year, during the same time frame, the company has seen 2,305 drive-by's using PDFs. Such attacks go after a vulnerable Reader browser plugin... Poisoned PDFs are also often used as part of a customized, targeted attack, he says, when they're sent to a specifically selected recipient attached to a well-crafted e-mail. Hypponen didn't recommend any particular alternative program, but suggested heading to http://www.pdfreaders.org for a list of free apps. He did point out that at the time of IE 6's security infamy, many switched over to using Firefox. And as that browser gained significant market share, it also drew the hacker's eye..."
Another freeware alternative: Foxit PDF Reader
- http://www.foxitsoftware.com/pdf/reader/download.php
:fear::sad:
-
Adobe Reader, Acrobat vuln - unpatched
FYI...
- http://blogs.adobe.com/psirt/2009/04...der_issue.html
April 28, 2009 - "... All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit >Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
... Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740*..."
* http://www.securityfocus.com/bid/34740/info
Updated: Apr 29 2009
- http://isc.sans.org/diary.html?storyid=6286
Last Updated: 2009-04-29 03:22:48 UTC
- http://www.f-secure.com/weblog/archives/00001671.html
April 29, 2009
- http://www.adobe.com/support/securit...apsa09-02.html
May 1, 2009 - "...Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009..."
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1492
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1493
:fear::spider::fear:
-
Targeted attacks - most common file types
FYI...
- http://www.f-secure.com/weblog/archives/00001676.html
May 6, 2009 - "... we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009. In 2008 we identified about 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%... So far in 2009 we have found 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat Reader than in the Microsoft Office applications... More info about targeted attacks and how they work can be found in our YouTube video*."
(Charts available at the URL above.)
* http://www.youtube.com/watch?v=nFw9ZHy0V3c
:fear:
-
Security Updates available for Adobe Reader and Acrobat
FYI...
Security Updates available for Adobe Reader and Acrobat
- http://www.adobe.com/support/securit...apsb09-06.html
May 12, 2009 - "...Adobe recommends users of Adobe Reader 9.1 and Acrobat 9.1 and earlier versions update to Adobe Reader 9.1.1 and Acrobat 9.1.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.5, and users of Acrobat 7 update to Acrobat 7.1.2. For Adobe Reader users who can’t update to Adobe Reader 9.1.1, Adobe has provided the Adobe Reader 8.1.5 and Adobe Reader 7.1.2 updates.
Affected software versions: Adobe Reader 9.1 and earlier versions. Adobe Acrobat Standard, Pro, and Pro Extended 9.1 and earlier versions.
Solution
Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloa...&platform=Unix
Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
Adobe Reader and Acrobat 9.1.1, 8.1.5 and 7.1.2 Release Notes
- http://kb2.adobe.com/cps/490/cpsid_49013.html
May 12, 2009
:fear:
-
Adobe Reader and Acrobat updated
FYI...
Adobe Reader and Acrobat updated
- http://www.adobe.com/support/securit...apsb09-07.html
June 9, 2009
"Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh .
Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows .
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh ...
Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities...
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
- http://secunia.com/advisories/34580/2/
Release Date: 2009-06-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Original Advisory: Secunia Research: http://secunia.com/secunia_research/2009-24/
Adobe: http://www.adobe.com/support/securit...apsb09-07.html
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0198
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0509
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0510
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0511
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0512
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0888
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0889
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1855
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1856
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1857
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1858
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1859
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1861
:fear:
-
Adobe Reader UNIX update v9.1.2
FYI...
Adobe Reader UNIX update v9.1.2
- http://www.adobe.com/support/securit...apsb09-07.html
June 16, 2009 - Bulletin updated with link to Adobe Reader UNIX update...
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloa...&platform=Unix ..."
:fear:
-
Shockwave Player vuln - update v11.5.0.600 available
FYI...
Shockwave Player vuln - update v11.5.0.600 available
- http://www.adobe.com/support/securit...apsb09-08.html
June 23, 2009 - "A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system... To resolve this issue, Shockwave Player users on Windows should -uninstall- Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/ . This issue is remotely exploitable..."
- http://voices.washingtonpost.com/sec..._for_adob.html
June 25, 2009 - "...Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1860
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2186
- http://secunia.com/advisories/35544/2/
Release Date: 2009-06-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 11.x ...
Solution: Uninstall versions prior to 11.5.0.600, restart the system, and install version 11.5.0.600:
http://get.adobe.com/shockwave/
- http://www.us-cert.gov/current/#adob..._for_shockwave
June 24, 2009
:fear:
-
ColdFusion 8 input sanitization issue
FYI...
Hotfix available for potential ColdFusion 8 input sanitization issue
- http://www.adobe.com/support/securit...apsb09-09.html
July 8, 2009 - "... Adobe recommends affected ColdFusion customers update their installation using the instructions below:
NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1*
* http://www.adobe.com/support/coldfus...dates.html#cf8 ...
Severity rating: Adobe categorizes this as a critical issue and recommends affected users patch their installations..."
Revisions: July 9, 2009 - Bulletin updated with Acknowledgment and information on ColdFusion 8.0 hotfix
(More detail and links at the first URL above.)
- http://secunia.com/advisories/35747/2/
Release Date: 2009-07-09
Critical: Highly critical
Impact: Exposure of system information, Exposure of sensitive information, System access
Solution: Update to version 8.0.1 and apply hot fix...
- http://blog.trendmicro.com/coldfusio...ss-compromise/
July 8, 2009
:fear:
-
0-day exploit in the wild - Adobe Flash player...
FYI...
- http://blogs.adobe.com/psirt/2009/07...r_and_fla.html
July 21, 2009 - "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."
> http://isc.sans.org/diary.html?storyid=6847
Last Updated: 2009-07-22 22:26:39 UTC ...(Version: 3) - "... the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well. And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal*)...
UPDATE: At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected. It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is -confirmed- to work)."
* http://preview.tinyurl.com/l3wg89
File 34d6452000e1a9e0308702d082c897008a0481b0.EXE received on 2009.07.22 16:49:07 (UTC)
Result: 7/41 (17.07%)
- http://www.us-cert.gov/current/#adob...obat_and_flash
- http://www.kb.cert.org/vuls/id/259425
2009-07-22
- http://blogs.technet.com/srd/archive...gy-part-2.aspx
June 12, 2009
> FixIt4Me - Enable DEP for Office
> FixIt4Me - Enable DEP for IE
- http://www.theregister.co.uk/2009/07...tacks_go_wild/
22 July 2009
Update on Adobe Reader, Acrobat and Flash Player Issue
- http://blogs.adobe.com/psirt/2009/07...r_acrobat.html
July 22, 2009 7:08 PM
:fear::fear:
-
FYI...
- http://www.adobe.com/support/securit...apsa09-03.html
July 22, 2009 - "... We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009..."
- http://securitylabs.websense.com/con...erts/3449.aspx
07.23.2009
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1862
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2580
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.securityfocus.com/bid/35759/info
Updated: Jul 23 2009
- http://bugs.adobe.com/jira/browse/FP-1265
Created: 12/31/08
- http://www.symantec.com/business/sec...512-99&tabid=2
Discovered: July 22, 2009 - "...The Trojan arrives in a specially crafted .pdf file that exploits a vulnerability in Adobe Flash Player. When executed the Trojan drops the following files on the compromised computer:
* %Temp%\SUCHOST.EXE (Trojan Horse)
* %Temp%\TEMP.EXE (A non-malicious file.)
Note: The SUCHOST.EXE file may open a back door that connects to the following domains:
* http ://aop1.homelinux .com
* http ://connectproxy.3322 .org
* http ://csport.2288 .org ..." [DO NOT VISIT]
:eek:
-
0-day Flash Player info update...
FYI...
- http://www.adobe.com/support/securit...apsa09-04.html
July 28, 2009 - "Adobe Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This critical vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.
Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are -not- vulnerable. We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows by July 30, 2009.
Users should consider installing MS09-034*. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035**..."
* http://www.microsoft.com/technet/sec.../ms09-034.mspx
** http://www.microsoft.com/technet/sec.../ms09-035.mspx
- http://secunia.com/advisories/35948/2/
Solution Status: Unpatched
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Changelog: 2009-07-29: Added information about control having been built using a vulnerable version of ATL.
:fear:
-
Adobe Shockwave v11.5.1.601 released
FYI...
Adobe Shockwave v11.5.1.601 released
- http://www.adobe.com/support/securit...apsb09-11.html
July 28, 2009 - "...Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ .
Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
Once again ...
- http://voices.washingtonpost.com/sec..._for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 10.x, Shockwave Player 11.x, Shockwave Player 8.x, Shockwave Player 9.x
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Original Advisory:
http://www.adobe.com/support/securit...apsb09-11.html ...
- http://www.us-cert.gov/current/#adob...ware_player_11
updated July 31, 2009
Test site: http://www.adobe.com/shockwave/welcome/
:fear:
-
Flash Player v10.0.32.18 released
FYI...
Flash Player v10.0.32.18 released
- http://get.adobe.com/flashplayer/
July 30, 2009 - Browser: Firefox, Safari, Opera
install_flash_player.exe
- http://get.adobe.com/flashplayer/otherversions/
July 30, 2009 - Internet Explorer
install_flash_player_ax.exe
Adobe Flash Player
- http://www.adobe.com/support/securit...apsb09-10.html
Release date: July 30, 2009
CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870
"... Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2*... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
* http://get.adobe.com/air/
Adobe AIR 1.5.2 Installer - Windows , English | 15.1 MB
___
- http://www.adobe.com/support/securit...apsb09-10.html
Revisions:
July 31, 2009 - Bulletin updated with Adobe Reader and Acrobat updates, and correct Adobe Flash Player 9 download link.
... http://www.adobe.com/support/flashpl...loads.html#fp9
___
- http://www.adobe.com/support/securit...apsb09-10.html
Last revised: August 3, 2009 - "... Adobe recommends all users of Adobe Flash Player... upgrade to the newest version 10.0.32.18..."
- http://secunia.com/advisories/35948/2/
Last Update: 2009-08-10
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Solution: Update to Flash Player 9.0.246.0 or 10.0.32.18 and Adobe AIR version 1.5.2.
Flash Player version 10.0.32.18: http://www.adobe.com/go/getflashplayer ...
Adobe AIR version 1.5.2. http://get.adobe.com/air ...
- http://www.adobe.com/support/securit...apsb09-11.html
Release date: July 28, 2009 - "... Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ ..."
- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical ...
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Test both here: http://www.adobe.com/shockwave/welcome/
-
Adobe Reader v9.1.3 - Acrobat v9.1.3 released
FYI...
Adobe Reader v9.1.3 - Acrobat v9.1.3 released
- http://www.adobe.com/support/securit...apsa09-03.html
Last Updated: July 31, 2009
"...Adobe Reader
Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date...
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows.
... Adobe Reader 9.1.3 update - Multiple Languages | 1.6MB | 7/31/2009 ...
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloa...&platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows.
... Adobe Acrobat 9.1.3 Professional and Standard Update - Multiple Languages 1.6MB | 7/31/2009
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh.
Severity rating
Adobe categorizes these as critical issues and recommends affected users patch their installations..."
:fear:
-
Adobe ColdFusion/JRun updated
FYI...
Adobe ColdFusion / JRun multiple vulns - updates available
- http://secunia.com/advisories/36329/2/
Release Date: 2009-08-18
Critical: Moderately critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe ColdFusion 8.x, Adobe ColdFusion MX 7.x, Macromedia Jrun 4.x ...
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb09-12.html
"... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
- http://www.us-cert.gov/current/index...for_coldfusion
August 18, 2009
- http://www.adobe.com/support/securit...apsb09-12.html
August 21, 2009 - Bulletin updated with additional information regarding CVE-2009-1876.
> http://download.macromedia.com/pub/c..._1872_1877.txt
"ColdFusion... hotfix includes fixes for CVE-2009-1872, CVE-2009-1877..."
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1872
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1877
> http://download.macromedia.com/pub/c...eadMe_1875.txt
"ColdFusion... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1..."
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1875
> http://download.macromedia.com/pub/c...eadMe_1876.txt
"ColdFusion... fix for CVE-2009-1876..."
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1876
> http://download.macromedia.com/pub/c...eadMe_1878.txt
"... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1.."
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1878
> http://download.macromedia.com/pub/c..._1873_1874.txt
"JRun... fixes for CVE-2009-1873, CVE-2009-1874..."
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1873
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1874
:fear::fear:
-
Flash cookie snoops...
FYI...
Sites pulling sneaky Flash cookie-snoop
- http://www.theregister.co.uk/2009/08/19/flash_cookies/
19 August 2009 - "Many websites are using Flash-based cookies to track users, but often omit to mention this in their privacy policies... Browser-based cookies constitute a well understood and widely deployed technology that poses serious questions about privacy, depending on its usage. What's far less well known is that Adobe Flash software also features cookies that can be used in much the same way as HTTP cookies. Flash cookies can be used for storing the volume level of a Flash video but the technology can also be used as "secondary, redundant unique identifiers that enable advertisers to circumvent user preferences and self-help"... researchers conclude that Flash cookies are more effective at tracking users' visits around websites than traditional HTTP cookies because they operate in the shadows and are infrequently removed. By default Flash cookies have no built-in expiration date. Browser-based actions such as deleting browser histories or switching to private mode does not affect the operation of Flash cookies..."
- https://addons.mozilla.org/firefox/addon/6623
Better privacy - "... Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you. Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion..."
> http://www.macromedia.com/support/do...manager07.html
:fear:
-
Sun Solaris Adobe Flash Player Multiple vuln - update available
FYI...
Sun Solaris Adobe Flash Player Multiple vuln - update available
- http://secunia.com/advisories/36518/2/
Release Date: 2009-09-03
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
OS: Sun Solaris 10
Solution: Apply patches.
-- SPARC Platform --
Solaris 10: Apply patch 125332-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
-- x86 Platform --
Solaris 10: Apply patch 125333-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
Original Advisory:
http://sunsolve.sun.com/search/docum...=1-66-266108-1
"... issues can occur in Adobe Flash Player 9.0.159.0 and earlier 9.x versions and 10.0.22.87 and earlier 10.x versions..."
:fear:
-
Adobe Reader/Acrobat vuln - unpatched
FYI...
Adobe Reader/Acrobat vuln - unpatched
- http://blogs.adobe.com/psirt/2009/10...t_issue_1.html
October 8, 2009 - "Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update*, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date..."
* http://www.adobe.com/support/securit...apsb09-15.html
- http://secunia.com/advisories/36983/2/
Release Date: 2009-10-09
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
- http://blog.trendmicro.com/new-adobe-zero-day-exploit/
Oct. 9, 2009 - "... users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:
1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK..."
:fear:
-
Adobe Reader 9.2 and Acrobat 9.2 released
FYI...
Adobe Reader 9.2 and Acrobat 9.2 released
- http://www.adobe.com/support/securit...apsb09-15.html
October 13, 2009 - "... This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459*)... Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX...
Solution:
Adobe Reader
- Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh
- Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloa...&platform=Unix
Acrobat
- Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh ..."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3459
Last revised: 10/13/2009
CVSS v2 Base Score: 9.3 (HIGH)
Adobe Plugs 29 Critical Reader, Acrobat Holes
- http://voices.washingtonpost.com/sec...reader_ac.html
October 13, 2009
CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462
- http://blogs.adobe.com/psirt/2009/10...rity_upda.html
October 13, 2009
:fear:
-
Adobe Shockwave Player v11.5.2.602 released
FYI...
Adobe Shockwave Player v11.5.2.602 released
- http://www.adobe.com/support/securit...apsb09-16.html
Release date: November 3, 2009
Affected software versions: Shockwave Player 11.5.1.601 and earlier versions
Solution: Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here:
http://get.adobe.com/shockwave/
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
CVE number:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3244
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3463
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3464
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3465
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3466
Platform: Windows and Macintosh
Once again, still ...
- http://voices.washingtonpost.com/sec..._for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
Test site:
- http://www.adobe.com/shockwave/welcome/
- http://secunia.com/advisories/37214/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 11.5.2.602...
- http://news.techworld.com/security/3...e-player-bugs/
"... installed on some 450 million PCs..."
:fear:
-
Flash Player update - pre-notification of Security Update
FYI...
Pre-Notification - Security Update for Adobe Flash Player
- http://www.adobe.com/support/securit...apsb09-19.html
December 3, 2009 - "Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Adobe expects to make these updates available on December 8, 2009...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions
Severity rating: Adobe categorizes these as critical updates."
Also see: Adobe Illustrator
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-4195
- http://www.adobe.com/support/securit...apsa09-06.html
December 07, 2009 - "... Adobe plans to make available an update to Adobe Illustrator to resolve the issue by January 8, 2010. Adobe recommends customers avoid opening .eps files from unknown or untrusted sources in Illustrator until a patch is available..."
:fear:
-
Flash Player v10.0.42.34 released
FYI...
Flash Player v10.0.42.34 released
- http://www.adobe.com/support/securit...apsb09-19.html
December 8, 2009 - "... All Platforms...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions...
Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...
CVE numbers: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951 ..."
- http://www.adobe.com/support/securit...apsb09-19.html
Revisions: December 10, 2009 - Bulletin updated with corrected version numbers in Details section and link to Flash Player 9 under Solution.
"... For users who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.260, which can be downloaded from the following link:
http://www.adobe.com/go/kb406791 "
- http://get.adobe.com/flashplayer/
Browser: Firefox, Safari, Opera - install_flash_player.exe
- http://get.adobe.com/flashplayer/otherversions/
Internet Explorer - install_flash_player_ax.exe
- http://get.adobe.com/air/
- http://secunia.com/advisories/37584/2/
Release Date: 2009-12-09
Critical: Highly critical
Impact: Exposure of system information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x ...
Solution: Update to Flash Player version 10.0.42.34 and AIR version 1.5.3...
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb09-19.html
:fear:
-
0-day Adobe Reader and Acrobat exploit in the wild
FYI...
0-day Adobe Reader and Acrobat exploit in the wild
- http://www.symantec.com/connect/blog...y-xmas-present
December 14, 2009 - "Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed -confirmed- the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H*. We have reported our findings to Adobe who have acknowledged the vulnerability in this blog**..."
* http://www.symantec.com/business/sec...121422-3337-99
** http://blogs.adobe.com/psirt/2009/12...acrobat_v.html
December 14, 2009 - "... vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)..."
- http://secunia.com/advisories/37690/2/
Last Update: 2009-12-16
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, Adobe Reader 9.x ...
...Fixed versions will reportedly be available by January 12, 2010*..."
* http://www.adobe.com/support/securit...apsa09-07.html
- http://www.shadowserver.org/wiki/pmw...endar/20091214
December 14, 2009 - "... this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself...
Disable JavaScript. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
... we strongly recommend you disable JavaScript..."
:fear::fear:
-
Security Advisory for Adobe Reader and Acrobat
FYI...
Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/securit...apsa09-07.html
December 15, 2009 - "... Adobe has confirmed a -critical- vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions... Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue...
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote* for more information. Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Customers using Microsoft DEP ("Data Execution Prevention") functionality available in certain versions of Microsoft Windows are at reduced risk..."
* http://kb2.adobe.com/cps/532/cpsid_53237.html
:fear:
-
0-day Adobe Reader/Acrobat updated...
FYI...
(0-day ...updated) Adobe Reader/Acrobat memory corruption vulns
- http://secunia.com/advisories/37690/
Last Update: 2009-12-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
Software: Adobe Acrobat... Reader...
Description:
-Two- vulnerabilities have been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system.
1) An error in the implementation of the "Doc.media.newPlayer()" JavaScript method can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file.
NOTE: This vulnerability is currently being actively exploited.
2) An array indexing error exists in 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. This can potentially be exploited to corrupt memory and execute arbitrary code via a PDF file containing a specially crafted U3D model.
The vulnerabilities are confirmed in version 9.2. Other versions may also be affected...
- http://secunia.com/advisories/37690/2/
"... Solution:
> Do not open untrusted PDF files. Do not browse untrusted websites or follow untrusted links.
> Use the JavaScript Blacklist functionality* to block the "Doc.media.newPlayer()" method. Please see the vendor's advisory for more information.
> Versions fixing vulnerability #1 will reportedly be available by January 12, 2010...
2009-12-29: Added vulnerability #2 to the advisory..."
* http://www.adobe.com/support/securit...apsa09-07.html
"... Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat..."
:fear::fear:
-
Adobe Reader v9.3 released
FYI...
Adobe Reader v9.3 released
- http://www.adobe.com/support/securit...apsb10-02.html
January 12, 2010 - "... Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh update to Acrobat 8.2. For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. Updates apply to all platforms: Windows, Macintosh and UNIX...
- http://get.adobe.com/reader
CVE numbers: CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957, CVE-2009-3958, CVE-2009-3959, CVE-2009-4324
Platform: All ...
Severity rating:
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
Release notes:
- http://kb2.adobe.com/cps/520/cpsid_52073.html
- http://secunia.com/advisories/38138/2/
Release Date: 2010-01-13 - "... Support has ended for Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh, and UNIX...
Solution: ...Upgrade to version 8.2 or 9.3..."
:fear::fear: