Page 1 of 11 12345 ... LastLast
Results 1 to 10 of 107

Thread: Old Adobe updates/advisories

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Old Adobe updates/advisories

    FYI...

    - http://www.securityfocus.com/news/11511
    2008-03-28 - "Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears.. While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals... Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds... until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users... Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack..."
    * http://www.adobe.com/devnet/flashpla...ty_update.html
    "Adobe is planning to release a security update for Flash Player 9 in April 2008 to strengthen the security of Adobe Flash Player for our customers and end users... This security update will make the optional socket policy file changes introduced in Flash Player 9,0,115,0 mandatory..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Flash Player version 9.0.124.0 released

    FYI...

    Flash Player version 9.0.124.0 released
    - http://www.adobe.com/shockwave/downl...ShockwaveFlash

    APSB08-11 Flash Player update available to address security vulnerabilities
    - http://www.adobe.com/support/securit...apsb08-11.html
    04/08/2008 - "Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system...
    Affected software versions:
    Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier..."
    Severity rating:
    Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."
    Installation instructions:
    - http://www.adobe.com/products/flashp.../instructions/
    Test:
    - http://www.adobe.com/products/flash/about/

    - http://secunia.com/advisories/28083/
    Release Date: 2008-04-09
    Critical: Highly critical
    Impact: Security Bypass, Cross Site Scripting, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Adobe Flash Player 9.x ...
    ...The vulnerabilities are reported in versions prior to 9.0.124.0...

    CVE reference:
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5275

    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6019
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637

    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1654
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1655 ...

    Last edited by AplusWebMaster; 2008-04-09 at 23:25. Reason: Added Secunia advisory and CVE references.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Flash player exploit in the wild

    FYI...

    - http://blogs.zdnet.com/security/?p=1236
    June 3, 2008 - "...Google Analytics has a nifty feature where it will give you information on your visitorís browser capabilities, including the version of Flash installed down to the revision level... the statistics confirmed the low percentage of up-to-date Flash players.
    Date % up-to-date
    5/26 15.28
    5/27 15.93
    5/28 16.50
    5/29 17.51
    Remember, this is still 7 weeks after the update was released... After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability... How does the average user know that they should update Flash and how to do so? By reading the trade press? Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible. As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn..."

    - http://www.shadowserver.org/wiki/pmw...endar.20080527
    May 27, 2008

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Flash Player workaround - Clickjacking issue

    FYI...

    - http://www.adobe.com/support/securit...apsa08-08.html
    Release date: October 7, 2008
    Vulnerability identifier: APSA08-08
    Platform: All Platforms
    Affected Software: Adobe Flash Player 9.0.124.0 and earlier
    ...To prevent this potential issue, customers can change their Flash Player settings as follows:
    1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documen...manager02.html
    2. Select the "Always deny" button.
    3. Select ‘Confirm’ in the resulting dialog.
    4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and/or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documen...manager06.html ...
    ---

    - http://blogs.adobe.com/psirt/2008/10..._advisory.html
    October 7, 2008

    - http://secunia.com/advisories/32163
    Release Date: 2008-10-08

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4503
    Last revised: 10/11/2008

    //
    Last edited by AplusWebMaster; 2008-10-13 at 23:50. Reason: Added other references...
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Flash Player v10.0.12.36 released

    FYI...

    Adobe Flash Player v10.0.12.36 released
    - http://www.adobe.com/go/getflashplayer
    October 15, 2008

    Understanding the security changes in Flash Player 10
    - http://www.adobe.com/devnet/flashpla...ges_print.html
    Modified: 15 October 2008

    Flash Player installation instructions
    - http://www.adobe.com/products/flashp.../instructions/
    ...Installation instructions for Windows Internet Explorer... "may require administrative access to your PC..."
    ...Installation instructions for Windows non-Internet Explorer... "may require administrative access to your PC..."

    Flash Player update available to address security vulnerabilities
    - http://www.adobe.com/support/securit...apsb08-18.html
    Release date: October 15, 2008 ...
    CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
    Platform: All Platforms
    Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform...
    Affected software versions: Adobe Flash Player 9.0.124.0 and earlier...

    - http://www.us-cert.gov/current/archi...y_bulletin_for
    October 16, 2008

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-4324
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-6243
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-3873
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4401
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4503

    Test your current install: http://www.adobe.com/products/flash/about/

    Last edited by AplusWebMaster; 2008-11-18 at 12:04. Reason: Added test link...
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Flash Player v9.0.151.0 / v10.0.12.36 updates...

    FYI...

    Flash Player multiple vulns - updates available
    - http://www.adobe.com/support/securit...apsb08-20.html
    Release date: November 5, 2008
    Vulnerability identifier: APSB08-20
    CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823 ...
    Platform: All Platforms
    Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
    Affected software versions: Adobe Flash Player 9.0.124.0 and earlier.
    To verify the Adobe Flash Player version number, access the About Flash Player page* ...
    * http://www.adobe.com/products/flash/about/
    Solution: Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center**, or by using the auto-update mechanism within the product when prompted.
    ** http://www.adobe.com/go/getflashplayer
    For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link***.
    *** http://www.adobe.com/go/kb406791
    Severity rating: Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36...

    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4818
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4819
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4820
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4821
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4822
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4823

    Last edited by AplusWebMaster; 2008-11-18 at 12:06.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation

    FYI...

    Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0
    - http://www.adobe.com/support/securit...apsb08-22.html
    Release date: November 17, 2008
    Vulnerability identifier: APSB08-22
    CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4824
    Platform: All Platforms

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Linux Flash player update...

    FYI...

    Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
    - http://www.adobe.com/support/securit...apsb08-24.html
    Release date: December 17, 2008
    Vulnerability identifier: APSB08-24
    CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5499
    Platform: Linux ...
    Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center*, or by using the auto-update mechanism within the product when prompted.
    * http://get.adobe.com/flashplayer
    For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0**, which can be downloaded from the following link...
    http://www.adobe.com/go/kb406791
    Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 10.0.15.3...

    SUSE update for flash-player
    - http://secunia.com/advisories/33294/
    Release Date: 2008-12-22
    Critical: Highly critical
    Impact: System access
    Where: From remote...
    Original Advisory: SUSE-SA:2008:059:
    http://lists.opensuse.org/opensuse-s.../msg00006.html

    Red Hat update for flash-plugin
    - http://secunia.com/advisories/33267/
    Release Date: 2008-12-22
    Critical: Highly critical
    Impact: System access
    Where: From remote...
    Solution Status: Vendor Patch
    Original Advisory:
    https://rhn.redhat.com/errata/RHSA-2008-1047.html ...

    Last edited by AplusWebMaster; 2008-12-22 at 16:49. Reason: Added Secunia advisories...
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Acrobat [Reader] 0-Day on the loose

    FYI...

    Acrobat [Reader] 0-Day On the Loose
    - http://www.shadowserver.org/wiki/pmw...endar.20090219
    2009-02-19 - "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9)... We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
    Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript ... Adobe has since issued a public advisory* about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after..."
    * http://www.adobe.com/support/securit...apsa09-01.html
    February 19, 2009 - "...Adobe categorizes this as a critical issue..."

    - http://blogs.adobe.com/psirt/2009/02...bat_issue.html
    February 19, 2009 09:18 PM

    Last edited by AplusWebMaster; 2009-02-22 at 13:04.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,150

    Exclamation Acrobat Reader 0-Day exploit in the wild...

    More on this:

    - http://preview.tinyurl.com/bp67qy
    February 20, 2009 Security Fix - "...In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable...
    Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future." Also, Symantec has now posted its writeup on this flaw*, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations..."
    * http://preview.tinyurl.com/cajqre
    02-20-2009 Symantec Security Response Blog
    * http://preview.tinyurl.com/cqs68s
    February 12, 2009 Symantec Security Response - "... The Trojan opens a backdoor on the compromised computer. It then contacts the following remote host in order to steal information from the compromised computer: js001 .3322 .org ..."

    - http://secunia.com/advisories/33901/
    Release Date: 2009-02-20
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched...

    Last edited by AplusWebMaster; 2009-02-20 at 22:31. Reason: Added Secunia advisory/ref...
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •