Old Adobe updates/advisories

Adobe critical updates scheduled...

FYI...

Flash, Reader, Acrobat critical updates scheduled...
- http://www.adobe.com/support/security/advisories/apsa11-02.html
April 13, 2011- "... We... expect to make available an update for Flash... on Friday, April 15, 2011. We expect to make available an update for Adobe Acrobat... and Adobe Reader... no later than the week of April 25, 2011..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
Last revised: 04/13/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... as exploited in the wild in April 2011..."

:fear:
 
Flash Player v10.2.159.1 released

FYI...

Flash Player v10.2.159.1 released
- http://www.adobe.com/support/security/bulletins/apsb11-07.html
April 15, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.2.153.1 and earlier versions... Adobe recommends... update to Adobe Flash Player 10.2.159.1..."

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,159,1 installed"

:fear::fear:
 
Last edited:
Drive-by Flash cache attacks ...

FYI...

Drive-by Flash cache attacks...
- http://www.theregister.co.uk/2011/04/19/amnesty_drive_by_cache/
19 April 2011 - "Miscreants have deployed a subtle variant of the well established drive-by-download attack tactics against the website of human rights organisation Amnesty International. In traditional drive-by-download attacks malicious code is planted on websites. This code redirects surfers to an exploit site, which relies on browser vulnerabilities or other exploits to download and execute malware onto visiting PCs. The attack on the Amnesty website, detected by security firm Armorize*, relied on a different sequence of events. In this case, malicious scripts are used to locate the malware which is already sitting in the browser's cache directory, before executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect. By bypassing this step dodgy sorts are more likely to slip their wares past security software undetected. The Amnesty International attack ultimately relied on an Adobe Flash zero-day exploit, patched by Adobe** late last week..."
* http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html

- http://www.virustotal.com/file-scan...1e14b1b069e9abd83889da7e2f8d15c227-1303129354
File name: display[1].swf
Submission date: 2011-04-18 12:22:34 (UTC)
Result: 1/40 (2.5%)

** Flash Player v10.2.159.1 released
- http://forums.spybot.info/showpost.php?p=401253&postcount=32

:fear::mad::fear:
 
Last edited:
Adobe Reader/Acrobat critical security updates

FYI...

Adobe Reader/Acrobat security updates
- http://www.adobe.com/support/security/bulletins/apsb11-08.html
CVE number: CVE-2011-0611, CVE-2011-0610
April 21,2011 - "Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems... Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3... update (to) Adobe Reader 9.4.4... Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates...
Adobe Reader 9.x users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader 10.x and 9.x users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh ..."

- http://secunia.com/advisories/44149/
Last Update: 2011-04-22
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0610
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
Last revised: 05/03/2011
CVSS v2 Base Score: 9.3 (HIGH)
Solution: Update to version 9.4.4 or 10.0.3

- http://www.securitytracker.com/id/1025434
Apr 22 2011

:fear::fear:
 
Last edited:
Adobe Photoshop CS5 12.0.4 released

FYI...

Adobe Photoshop CS5 12.0.4 released
- http://secunia.com/advisories/44419/
Release Date: 2011-05-03
Criticality level: Moderately critical
Impact: Unknown
Where: From remote ...
Software: Adobe Photoshop CS5 12.x
... The vulnerabilities are reported in versions -prior- to CS5 12.0.4.
Solution: Update to version CS5 12.0.4...
Original Advisory: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4973
"... A number of potential security vulnerabilities have been addressed..."

- http://www.securitytracker.com/id/1025483
May 4 2011

:fear:
 
Last edited:
Adobe - critical security updates...

FYI...

APSB11-09 – Security update available for RoboHelp (Important Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-09.html
APSB11-10 – Security update available for Audition (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-10.html
APSB11-11 – Security update available for Flash Media Server (FMS) (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-11.html
APSB11-12 – Security update available for Flash Player (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-12.html
May 12, 2011
CVE number: CVE-2011-0589, CVE-2011-0618, CVE-2011-0619, CVE-2011-0620, CVE-2011-0621, CVE-2011-0622, CVE-2011-0623, CVE-2011-0624, CVE-2011-0625, CVE-2011-0626, CVE-2011-0627*
Platform: All Platforms
"Critical vulnerabilities have been identified... Adobe recommends users of Adobe Flash Player 10.2.159.1 and earlier versions... update to Adobe Flash Player 10.3.181.14..."

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,3,181,14 installed"

- http://www.securitytracker.com/id/1025533
May 13 2011 - "... One of the vulnerabilities [CVE-2011-0627] is being actively exploited on Windows-based systems via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file and delivered via email attachment..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0627
Last revised: 05/16/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... before 10.3.181.14 on Windows..."
____

Local settings manager (new in desktop only)
- http://www.adobe.com/products/flashplayer/features/index.html
"... Flash Player 10.3 integrates control of local storage with the browser's privacy settings... Users can access the Flash Player Settings Manager directly from the Control Panel or System Preferences..."
___

- http://secunia.com/advisories/44480/ - RoboHelp
- http://www.securitytracker.com/id/1025530 - Audition
- http://secunia.com/advisories/44589/ - Flash Media Server
- http://secunia.com/advisories/44590/ - Flash
Release Date: 2011-05-13
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Original Advisory: Adobe (APSB11-12):
http://www.adobe.com/support/security/bulletins/apsb11-12.html

:fear:
 
Last edited:
Flash exploit-in-the-wild...

FYI...

> http://forums.spybot.info/showpost.php?p=404201&postcount=36
"... update to Adobe Flash Player 10.3.181.14..."
- http://www.securitytracker.com/id/1025533
May 13 2011 - "... One of the vulnerabilities [CVE-2011-0627*] is being actively exploited on Windows-based systems via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file and delivered via email attachment..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0627
Last revised: 05/13/2011

:fear::fear:
 
Last edited:
Flash v10.3.181.2x released

FYI...

Prenotification Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb11-16.html
June 9, 2011 - "Adobe is planning to release updates for Adobe Reader X (10.0.1) for Windows and Adobe Reader X (10.0.3) for Macintosh; Adobe Reader 9.4.3 and earlier versions for Windows and Macintosh; Adobe Acrobat X (10.0.3) for Windows and Macintosh; and Adobe Acrobat 9.4.2 and earlier versions for Windows and Macintosh to resolve critical security issues. Adobe expects to make these updates available on Tuesday, June 14, 2011..."
___

Flash v10.3.181.2x released
- http://www.adobe.com/support/security/bulletins/apsb11-13.html
Revisions:
June 8, 2011 - Updated with information on Adobe Reader and Acrobat
June 7, 2011 - Updated with information on Android update.
June 5, 2011 - CVE-2011-2107
Summary: An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being actively exploited in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message...
Solution: Adobe recommends all users... update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX)..."

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2107
Last revised: 06/09/2011

- http://secunia.com/advisories/44846/
Impact: Cross Site Scripting
Where: From remote...
Solution: Update to Flash Player version 10.3.181.22 (10.3.181.23 for ActiveX).

- http://www.securitytracker.com/id/1025603
Jun 6 2011 - CVE-2011-2107
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Solution: The vendor has issued a fix (10.3.181.22; 10.3.181.23 for ActiveX; 10.3.185.22 for Android). The Android fix will be available the week of June 6, 2011.

:fear:
 
Last edited:
Last edited:
Adobe - multiple critical updates

FYI...

Adobe - multiple critical updates

Flash Player- critical update
- http://www.adobe.com/support/security/bulletins/apsb11-18.html
June 14, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23 and earlier versions... Adobe recommends... update to Adobe Flash Player 10.3.181.26... Note:... does -not- affect the Authplay.dll component that ships with Adobe Reader and Acrobat..."
CVE number: CVE-2011-2110
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2110
Last revised: 06/17/2011
CVSS v2 Base Score: 10.0 (HIGH)

- http://www.securitytracker.com/id/1025651
Jun 14 2011 - CVE-2011-2110
... This vulnerability is being actively exploited via targeted web pages.
Impact: A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix 10.3.181.26*...

- http://secunia.com/advisories/44964/
Release Date: 2011-06-15
Criticality level: Extremely critical...
NOTE: The vulnerability is reportedly being actively exploited in targeted attacks... 10.3.181.23 and earlier...
Solution: Apply updates... (10.3.181.26)...
___

Reader and Acrobat - critical updates
- http://www.adobe.com/support/security/bulletins/apsb11-16.html
June 14, 2011 - "Critical vulnerabilities have been identified in Adobe Reader X (10.0.1) and earlier versions for Windows, Adobe Reader X (10.0.3) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.3) and earlier...
Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3...
Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3... Users can utilize the product's update mechanism..."
CVE numbers: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096, CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100, CVE-2011-2101, CVE-2011-2102, CVE-2011-2103, CVE-2011-2104, CVE-2011-2105, CVE-2011-2106
... before 8.3, 9.x before 9.4.5, and 10.x before 10.1...
- http://www.securitytracker.com/id/1025658
June 14 2011
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network...
Version(s): 8.x - 8.2.6, 9.x - 9.4.4, 10.x - 10.0.3
Solution: The vendor has issued a fix (8.3, 9.4.5, 10.1).
___

Shockwave Player - critical update
- http://www.adobe.com/support/security/bulletins/apsb11-17.html
June 14, 2011 - "Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.620 and earlier versions... Adobe recommends users of Adobe Shockwave Player 11.5.9.620 and earlier versions upgrade to the newest version 11.6.0.626, available here: http://get.adobe.com/shockwave/ "
CVE number: CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2108, CVE-2011-2109, CVE-2011-2111, CVE-2011-2112, CVE-2011-2113, CVE-2011-2114, CVE-2011-2115, CVE-2011-2116, CVE-2011-2117, CVE-2011-2118, CVE-2011-2119, CVE-2011-2120, CVE-2011-2121, CVE-2011-2122, CVE-2011-2123, CVE-2011-2124, CVE-2011-2125, CVE-2011-2126, CVE-2011-2127
___

Hotfix available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb11-14.html
June 14, 2011 - "Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site request forgery (CSRF) or a remote denial-of-service (DoS). Adobe recommends users update their product...
Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/907/cpsid_90784.html ..."
CVE number: CVE-2011-0629, CVE-2011-2091
___

LiveCycle Data Services, LiveCycle ES, and BlazeDS - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-15.html
June 14, 2011 - "Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users update their product...
Solution... " Use the URL above for instructions and links.
CVE number: CVE-2011-2092, CVE-2011-2093

:fear::fear::fear::fear::fear:
 
Last edited:
Flash v10.3.181.34 released

FYI...

- http://www.adobe.com/support/security/
No advisory posted - yet. (released in new version of Chrome)

Fixes in Flash Player 10.3.181.34
- http://kb2.adobe.com/cps/901/cpsid_90194.html#main_10.3.181.34
Jira bugs
[FP-###] denotes bugs that are filed in the Adobe Flash Player Bug and Issue Management System https://bugs.adobe.com/flashplayer
[FP-5317] Flash Player crashes when a high definition video is played in -any- browser (2848668)
[FP-6143] Flash app does not resize properly when wmode=transparent
[FP-6163] During 'Press Esc to exit full screen message' Flash player does not allow to load swf which loads another swf into SWFLoader. (2808217)
[FP-6198] url is being returned escaped in Flash Player 10.2, but wasn't in Flash Player 10.1 (2812702)
[FP-6230] DisplacementMapFilter doesn't work when movie is scaled (2814161)...
Browser...
Chrome: Printing SWFs is not enabled in Google Chrome. We are working with Google to address this issue. (2490502)
Safari: Printing SWFs is not enabled in Safari on Windows platforms. We are investigating this issue with Apple. (2490502)
Firefox: [FP-19322] In Firefox, a FaultEvent returns a status code of zero, ignoring the status returned by the web server (2827551)
Content Hero game at http://www.fishhf.com/ fails to load when using Firefox 3 (2834776)
When using Firefox 4 on Ubuntu Operating System, videos at new.music.yahoo.com fail to play (2840163)
Internet Explorer: [FP-6597] In Internet Explorer, tab navigation may stop working after tabbing to the end of Flash content ( 2849526)...
___

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/

:fear:
 
Last edited:
60% of Adobe Reader users unpatched...

FYI...

60% of Adobe Reader users unpatched...
- http://www.darkreading.com/taxonomy/index/printarticle/id/231001642
Jul 13, 2011 - "Six out of every 10 users of Adobe Reader are running unpatched versions of the program, leaving them vulnerable to a variety of malware attacks... In a study of its own antivirus users, Avast Software found that 60.2 percent of those with Adobe Reader were running a vulnerable version of the program... More than 80 percent of Avast users run a version of Adobe Reader... Brad Arkin, senior director of product security and privacy at Adobe, agreed with the Avast analysis. "We find that most consumers don’t bother updating a free app, such as Adobe Reader, as PDF files can be viewed in the older version," he said... Malware PDF exploit packages will typically look for a variety of security weaknesses in the targeted computer, attacking when an uncovered vulnerability is discovered..."

:blink::fear:
 
Adobe -critical- updates released

FYI...

> https://www.adobe.com/support/security/

Flash Player v10.3.183.5 released
- https://www.adobe.com/support/security/bulletins/apsb11-21.html
Last updated: August 12, 2011
Platform: All platforms
Summary: Critical vulnerabilities have been identified in Adobe Flash Player 10.3.181.36 and earlier versions... upgrade to the newest version 10.3.183.5...

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/

CVSS Severity: 10.0 (HIGH)
"... before 10.3.183.5..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2130
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2134
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2135
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2136
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2137
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2138
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2139
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2140
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2414
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2415
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2416
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2417
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2424 - Last revised: 08/16/2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2425
___

Adobe AIR v2.7.1 released
- https://krebsonsecurity.com/2011/08/updates-for-adobe-flash-shockwave-air/
August 10, 2011 - "... flaws exist in Adobe AIR (before 2.7.1) for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here*..."
* http://get.adobe.com/air/
___

Shockwave Player v11.6.1.629 released
- https://www.adobe.com/support/security/bulletins/apsb11-19.html
August 9, 2011
CVE number: CVE-2010-4308, CVE-2010-4309, CVE-2011-2419, CVE-2011-2420, CVE-2011-2421, CVE-2011-2422, CVE-2011-2423.
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.0.626 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system... update to Adobe Shockwave Player 11.6.1.629... earlier versions upgrade to the newest version 11.6.1.629 available here:
- http://get.adobe.com/shockwave/

(Note: You may not have, want, or need Shockwave installed...)
Test Shockwave: https://www.adobe.com/shockwave/welcome/
___

Flash Media Server v4.0.3 v3.5.7 released
- https://www.adobe.com/support/security/bulletins/apsb11-20.html
August 9, 2011

Photoshop CS5 and CS5.1 updates available
- https://www.adobe.com/support/security/bulletins/apsb11-22.html
August 9, 2011

RoboHelp updates available
- https://www.adobe.com/support/security/bulletins/apsb11-23.html
August 9, 2011

:fear::spider::fear:
 
Last edited:
Flash Player v10.3.183.7 - addresses compatibility issues...

FYI...

Flash Player 10.3 Release Notes
- http://kb2.adobe.com/cps/901/cpsid_90194.html

Flash Player v10.3.183.7
- http://kb2.adobe.com/cps/901/cpsid_90194.html#main_10.3.183.7
"Adobe Flash Player 10.3.183.7 addresses compatibility issues:
- Calls to gotoAndPlay() and gotoAndStop() no longer fail in some Flash applications which load shared libraries (2943612).
- TextField instances which specify a negative offset (x property contains a negative value) now correctly flow the text horizontally instead of vertically (2941680).
- Improved performance in some cases when displaying complex animations (2941931).
- MSI versions of the Flash Player Installer now properly install the Native Settings Manager control panel on Windows (2939928).
- Flash applications at certain websites (http://www.justin.tv, http://heylenmichel.de) now load correctly (2939645, 2944081)."
___

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/

:fear:
 
Adobe Reader/Acrobat - critical updates: APSB11-24

FYI...

Adobe Reader and Acrobat - critical updates
- https://www.adobe.com/support/security/bulletins/apsb11-24.html
September 13, 2011
CVE numbers: CVE-2011-1353, CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
"Critical vulnerabilities have been identified in Adobe Reader X (10.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system...
... Adobe recommends users of Adobe Reader X (10.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.1). For users of Adobe Reader 9.4.5 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.1), Adobe has made available updates, Adobe Reader 9.4.6 and Adobe Reader 8.3.1...
... Adobe recommends users of Adobe Acrobat X (10.1) for Windows and Macintosh update to Adobe Acrobat X 10.1.1. Adobe recommends users of Adobe Acrobat 9.4.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.6, and users of Adobe Acrobat 8.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.1...
Note: Support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011...

Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates ..."
___

- http://h-online.com/-1342490
14 September 2011 - "... version 10.x offers an updated Adobe Approved Trust List (AATL) from which Adobe has removed all DigiNotar certificates. The 9.x versions don't yet dynamically update the AATL; this feature is planned to be included in future versions. Until then, users are advised to manually delete the certificates – Adobe has released instructions* on how to do so..."
* http://blogs.adobe.com/security/2011/09/diginotarremovalaatl.html
___

- http://www.securitytracker.com/id/1026044
Sep 13 2011
Impact: Execution of arbitrary code via network, User access via local system, User access via network...
Version(s): 8.x prior to 8.3.1, 9.x prior to 9.4.6, and 10.x prior to 10.1.1...

- https://secunia.com/advisories/45978/
Release Date: 2011-09-14
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, Privilege escalation,
System access
Where: From remote
Solution Status: Vendor Patch...

:fear::fear:
 
Last edited:
Flash Player v10.3.183.10 released

FYI...

Flash Player v10.3.183.10 released
- https://www.adobe.com/support/security/bulletins/apsb11-26.html
September 21, 2011
CVE number: CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429, CVE-2011-2430, CVE-2011-2444
Platform: All platforms
Summary: Critical vulnerabilities have been identified inAdobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10... Flash Player for Android... update to Adobe Flash Player for Android 10.3.186.7...

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2426
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2427
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2428
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2430
Last revised: 09/22/2011
"... before 10.3.183.10..."
CVSS v2 Base Score: 9.3 (HIGH)

- https://secunia.com/advisories/46113/
Release Date: 2011-09-22
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote...
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-26.html
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-32.html

- http://www.securitytracker.com/id/1026084
Sep 22 2011
___

Adobe Reader and Acrobat updated... to 10.1.1, 9.4.6, 8.3.1
- https://www.adobe.com/support/security/bulletins/apsb11-24.html
Revised: September 21, 2011 - "... These updates also incorporate the Adobe Flash Player updates as noted in Security Bulletin APSB11-21 and Security Bulletin APSB11-26..."
- https://www.adobe.com/support/security/bulletins/apsb11-21.html
- https://www.adobe.com/support/security/bulletins/apsb11-26.html
___

- https://www.us-cert.gov/current/#adobe_prenotification_security_advisory_for3
updated September 22, 2011

:fear::fear:
 
Last edited:
Adobe Photoshop Security Advisory APSA11-03

FYI...

Adobe Photoshop Security Advisory APSA11-03
- https://www.adobe.com/support/security/advisories/apsa11-03.html
September 30, 2011
Platform: Windows
"... Critical vulnerabilities exist in Adobe Photoshop Elements 8.0 and earlier versions. These two buffer overflow vulnerabilities (CVE-2011-2443) could cause a crash and potentially allow an attacker to take control of the affected system... Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop Elements to date. Photoshop Elements 10 and Photoshop Elements 9 are not vulnerable to this issue. Because Adobe Photoshop 8 and earlier versions are no longer supported, Adobe recommends users upgrade to Photoshop Elements 10 or Photoshop Elements 9..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2443
Last revised: 10/05/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... Adobe Photoshop Elements 8.0 and earlier..."

> http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop_elements&loc=en_us

> https://www.adobe.com/products/photoshop-elements/buying-guide.displayTab3.html
___

- https://secunia.com/advisories/46277/
Release Date: 2011-10-03
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Upgrade to version 10.

:fear:
 
Last edited:
Flash Player v11.0.1.152 released

FYI...

Flash Player v11.0.1.152 released
- http://kb2.adobe.com/cps/919/cpsid_91932.html
October 4, 2011 - "... This release includes new features as well as enhancements and bug fixes related to security, stability, performance and device compatibility..."

New Features in Flash Player 11 and AIR 3
- http://kb2.adobe.com/cps/919/cpsid_91932.html#main_new_features

Known Issues
- http://kb2.adobe.com/cps/919/cpsid_91932.html#main_known_issues

System Requirements - Flash Player 11
- https://www.adobe.com/products/flashplayer/tech-specs.html
• Internet Explorer 7.0 and above, Mozilla Firefox 4.0 and above, Google Chrome, Safari 5.0 and above, Opera 11...
[Apparently -not- compatible with Firefox v3.6.23, possibly others.]
___

Downloads: https://www.adobe.com/special/products/flashplayer/fp_distribution3.html
Flash Player 11 (64 bit)
IE: http://fpdownload.macromedia.com/pu...in/install_flash_player_11_active_x_64bit.exe
Flash Player 11 (32 bit)
IE: http://fpdownload.macromedia.com/pu...in/install_flash_player_11_active_x_32bit.exe
Firefox, other Plugin-based browsers: http://fpdownload.macromedia.com/pu.../win/install_flash_player_11_plugin_32bit.exe

Flash test site: http://www.adobe.com/software/flash/about/
___

- http://nakedsecurity.sophos.com/201...nd-reader-security-interview-with-brad-arkin/
October 6, 2011 - "... Flash applications will now be able to use SSL socket connections to securely communicate over the network. Flash Player will now provide access to your operating system's cryptography APIs... This enables the use of a proper pseudo-random number generator for instances where greater security is required.
Flash is now available in a 64 bit binary as well, and will take advantage of 64 bit ASLR (Address Space Layout Randomization) where available..."

- http://blogs.adobe.com/asset/2011/09/flash-player-11-privacy-and-security-updates.html
___

- https://isc.sans.edu/diary.html?storyid=11731
Oct 04 2011

:fear:
 
Last edited:
Flash click-jacking exploit...

FYI...

Flash click-jacking exploit...
- https://isc.sans.edu/diary.html?storyid=11857
Last Updated: 2011-10-21 - "... a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel. The original attack "framed" the entire Flash control page. To prevent the attack, Adobe added frame busting code to the settings page. Feross' attack doesn't frame the entire page, but instead includes just the SWF file used to adjust the settings, bypassing the frame busting javascript in the process.

Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers. Details from Adobe:
- http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html
"... We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website..."
> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
___

- http://blogs.adobe.com/psirt/2011/1...rity-update-for-adobe-reader-and-acrobat.html
October 21, 2011 - "The next quarterly security update for Adobe Reader and Acrobat has been rescheduled for January 10, 2012."

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top