Adobe updates/advisories

[AplusWebMaster]

FYI...

Adobe Prenotification Security Advisory for Reader / Acrobat
- https://helpx.adobe.com/security/pro...apsb14-28.html
Dec 4, 2014 - "Summary: Adobe is planning to release security updates on Tuesday, December 9, 2014 for Adobe Reader and Acrobat for Windows and Macintosh. Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) blog at:
- http://blogs.adobe.com/psirt
(Note: This Security Advisory will be replaced with the Security Bulletin upon release of the update.)
Affected software versions
Adobe Reader XI (11.0.09) and earlier versions
Adobe Reader X (10.1.12) and earlier versions
Adobe Acrobat XI (11.0.09) and earlier versions
Adobe Acrobat X (10.1.12) and earlier versions .

[AplusWebMaster]

FYI...

Flash Player 17.0.0.188 released
- https://helpx.adobe.com/security/pro...apsb15-09.html
May 12, 2015
CVE number: CVE-2015-3044, CVE-2015-3077, CVE-2015-3078, CVE-2015-3079, CVE-2015-3080, CVE-2015-3081, CVE-2015-3082, CVE-2015-3083, CVE-2015-3084, CVE-2015-3085, CVE-2015-3086, CVE-2015-3087, CVE-2015-3088, CVE-2015-3089, CVE-2015-3090, CVE-2015-3091, CVE-2015-3092, CVE-2015-3093
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 17.0.0.188.
- Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.289.
- Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.460.
- Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 17.0.0.188.
- Users of the Adobe AIR desktop runtime should update to version 17.0.0.172.
- Users of the Adobe AIR SDK and AIR SDK & Compiler should update to version 17.0.0.172...

For IE:
- http://download.macromedia.com/get/f...7_active_x.exe
For Firefox and other Plugin-based browsers:
- http://download.macromedia.com/get/f..._17_plugin.exe

Flash test site: http://www.adobe.com/software/flash/about/

AIR: http://get.adobe.com/air/

- http://www.securitytracker.com/id/1032285
CVE Reference: CVE-2015-3077, CVE-2015-3078, CVE-2015-3079, CVE-2015-3080, CVE-2015-3081, CVE-2015-3082, CVE-2015-3083, CVE-2015-3084, CVE-2015-3085, CVE-2015-3086
May 12 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 17.0.0.169 and prior; other versions affected...
Solution: The vendor has issued a fix (17.0.0.188; 13.0.0.289 ESR; 11.2.202.460 for Linux).
___

Adobe Reader 11.0.11 10.1.14, Acrobat 11.0.11 10.1.14 released
- https://helpx.adobe.com/security/pro...apsb15-10.html
May 12, 2015
CVE Numbers: CVE-2014-8452, CVE-2014-9160, CVE-2014-9161, CVE-2015-3046, CVE-2015-3047...
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader XI (11.0.10) and earlier versions should update to version 11.0.11.
- Users of Adobe Reader X (10.1.13) and earlier versions should update to version 10.1.14.
- Users of Adobe Acrobat XI (11.0.10) and earlier versions should update to version 11.0.11.
- Users of Adobe Acrobat X (10.1.13) and earlier versions should update to version 10.1.14...
Solution: Adobe recommends users update their software installations by following the instructions below:
Adobe Reader: The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can find the appropriate update here:
- http://www.adobe.com/support/downloa...atform=Windows
Adobe Reader users on Macintosh can find the appropriate update here:
- http://www.adobe.com/support/downloa...form=Macintosh

Adobe Acrobat: The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard and Pro users on Windows can find the appropriate update here:
- http://www.adobe.com/support/downloa...atform=Windows
Acrobat Pro users on Macintosh can find the appropriate update here:
- http://www.adobe.com/support/downloa...form=Macintosh

- http://www.securitytracker.com/id/1032284
CVE Reference: CVE-2014-9160, CVE-2014-9161, CVE-2015-3046, CVE-2015-3047, CVE-2015-3048, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3056, CVE-2015-3057, CVE-2015-3058, CVE-2015-3059, CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3070, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074, CVE-2015-3075, CVE-2015-3076
May 12 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.1.13 and prior 10.x versions, 11.0.10 and prior 11.x versions
Solution: The vendor has issued a fix (10.1.14, 11.0.11).

[AplusWebMaster]

FYI...

Prenotification Security Advisory for Adobe Acrobat and Reader
- https://helpx.adobe.com/security/pro...apsb15-24.html
Oct 8, 2015
Platform: Windows and Macintosh
Summary: Adobe is planning to release security updates on Tuesday, October 13, 2015 for Adobe Acrobat and Reader for Windows and Macintosh.
Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) blog at https://blogs.adobe.com/psirt
(Note: This Security Advisory will be replaced with the Security Bulletin on October 13.)

[AplusWebMaster]

FYI...

Acrobat/Reader 11.0.15 released
- https://helpx.adobe.com/security/pro...apsb16-09.html
March 8, 2016
CVE Numbers: CVE-2016-1007, CVE-2016-1008, CVE-2016-1009
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system...
Solution: Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
- Users can update their product installations manually by choosing Help > Check for Updates.
- The products will update automatically, without requiring user intervention, when updates are detected.
- The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center:
> http://get.adobe.com/reader
Acrobat Reader DC Version 2015.010.20060
For IT administrators (managed environments):
- Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/ ... or refer to the specific release note version for links to installers.
- Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on Macintosh, Apple Remote Desktop and SSH.

> https://www.adobe.com/support/downloads/new.jsp
Adobe Acrobat 11.0.15
Adobe Reader 11.0.15
3/8/2016

- http://www.securitytracker.com/id/1035199
CVE Reference: CVE-2016-1007, CVE-2016-1008, CVE-2016-1009
Mar 8 2016
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (11.0.15, 15.006.30121, 15.010.20060)...
___

Adobe Digital Editions 4.5.1 released
- https://helpx.adobe.com/security/pro...apsb16-06.html
March 8, 2016
CVE Numbers: CVE-2016-0954
Platform: Windows, Macintosh, iOS and Android
Summary: Adobe has released a security update for Adobe Digital Editions 4.5.0 and earlier versions. This update resolves a critical memory corruption vulnerability that could lead to code execution...
Customers using Adobe Digital Editions 4.5.0 on Windows can download the update from the Adobe Digital Editions download page:
> https://www.adobe.com/solutions/eboo.../download.html
.. or utilize the product’s update mechanism when prompted. Customers using Digital Editions for iOS and Android can download the update from the respective app store.
For more information, please reference the release notes:
> http://www.adobe.com/solutions/ebook...ase-notes.html

- http://www.securitytracker.com/id/1035199
CVE Reference: CVE-2016-1007, CVE-2016-1008, CVE-2016-1009
Mar 8 2016
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (11.0.15, 15.006.30121, 15.010.20060)...
___

Known issues | Acrobat DC, Reader DC
- https://helpx.adobe.com/acrobat/kb/k...dc-reader.html
___

- http://krebsonsecurity.com/2016/03/a...tical-updates/
8 Mar 2016 - "... Adobe spokesperson: the company will be issuing a Flash Player update on Thursday morning."

[AplusWebMaster]

FYI...

Security Update: Hotfixes available for ColdFusion
- https://helpx.adobe.com/security/pro...apsb16-30.html
Aug 30, 2016
CVE number: CVE-2016-4264
Platforms: All
Summary: Adobe has released security hotfixes for ColdFusion versions 10 and 11. These hotfixes resolve a critical vulnerability that could lead to information disclosure (CVE-2016-4264). Adobe recommends that customers apply the appropriate hotfix using the instructions provided in the "Solution" section below.
Affected Versions / Platform
ColdFusion 11 Update 9 and earlier versions All
ColdFusion 10 Update 20 and earlier versions All
Note: The ColdFusion 2016 release is not affected by CVE-2016-4264.
Solution: Adobe categorizes this hotfix with the following priority rating and recommends users update their installations to the newest versions:
Product Hotfix Version Platform Priority rating Availability
ColdFusion 11 Update 10 All 2 Tech note: http://helpx.adobe.com/coldfusion/kb...update-10.html
ColdFusion 10 Update 21 All 2 Tech note: https://helpx.adobe.com/coldfusion/k...update-21.html
Adobe recommends ColdFusion customers update their installation using the instructions provided in the relevant technote:
ColdFusion 11: http://helpx.adobe.com/coldfusion/kb...update-10.html
ColdFusion 10: http://helpx.adobe.com/coldfusion/kb...update-21.html
Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guide...
Revisions:
Sep 1, 2016: As of September 1, Adobe is aware of publicly available proof-of-concept code, and we have modified the priority of these hotfixes from Priority 2 to Priority 1.
___

- http://www.securitytracker.com/id/1036708
CVE Reference: CVE-2016-4264
Aug 31 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10 Update 20 and prior, 11 Update 9 and prior ...
Impact: A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10 Update 21, 11 Update 10)...
___

- https://www.us-cert.gov/ncas/current...tes-ColdFusion
Aug 30, 2016

[AplusWebMaster]

FYI...

ColdFusion Hotfixes available
- https://helpx.adobe.com/security/pro...apsb17-14.html
April 25, 2017
CVE number: CVE-2017-3008, CVE-2017-3066
Platforms: All
Summary: Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release. These hotfixes resolve an input validation issue that could be used in reflected XSS (cross-site scripting) attacks (CVE-2017-3008). These hotfixes also include an updated version of Apache BlazeDS to mitigate java deserialization (CVE-2017-3066). Adobe recommends that customers apply the appropriate hotfix using the instructions provided in the "Solution" section below...
Solution: ... Adobe recommends that ColdFusion customers update their installation using the instructions provided in the relevant tech notes:
ColdFusion (2016 release): http://helpx.adobe.com/coldfusion/kb...-update-4.html
ColdFusion 11: http://helpx.adobe.com/coldfusion/kb...update-12.html
ColdFusion 10: http://helpx.adobe.com/coldfusion/kb...update-23.html
Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
ColdFusion (2016 release) Lockdown guide:
- http://wwwimages.adobe.com/content/d...down-guide.pdf
ColdFusion 11 Lockdown Guide:
- https://www.adobe.com/content/dam/Ad...down-guide.pdf
ColdFusion 10 Lockdown Guide:
- https://www.adobe.com/content/dam/Ad...down-guide.pdf

- http://www.securitytracker.com/id/1038364
CVE Reference: CVE-2017-3008, CVE-2017-3066
Apr 26 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10, 11, 2016 ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Adobe ColdFusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (10 Update 23, 11 Update 12, 2016 Update 4)...
___

- https://www.us-cert.gov/ncas/current...tes-ColdFusion
April 26, 2017

[AplusWebMaster]

FYI...

Flash 27.0.0.159 released
- https://helpx.adobe.com/security/pro...apsb17-31.html
Oct 10, 2017 - "Summary: Adobe has released an update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This monthly update addresses functionality bugs...
- Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 27.0.0.159 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center:
> https://get.adobe.com/flashplayer/
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 27.0.0.159 for Windows, Macintosh, Linux and Chrome OS.
- Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 27.0.0.159.
- Please visit the Flash Player Help page for assistance in installing Flash Player:
> https://helpx.adobe.com/flash-player.html
[1] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted..."

For I/E - some versions get 'Automatic' updates:
- https://fpdownload.macromedia.com/pu..._player_ax.exe
For Firefox and other Plugin-based browsers:
- https://fpdownload.macromedia.com/pu...ash_player.exe
For Chrome:
- https://fpdownload.macromedia.com/pu...ayer_ppapi.exe

Flash test site: https://www.adobe.com/software/flash/about/
___

- https://www.securitytracker.com/id/1039582
CVE Reference: CVE-2017-11292
Oct 17 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 27.0.0.159 and prior ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (27.0.0.170)...
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Oct 16, 2017
___

MS ADV170018 | October Flash Security Update
> https://portal.msrc.microsoft.com/en...sory/ADV170018
10/17/2017
___

Archived Flash Player versions:
> https://helpx.adobe.com/flash-player...-versions.html

>> https://forums.adobe.com/thread/239585
[moderator: Added 'VMWare' to title to aid other users who are having the same issue in finding this topic]
Oct 17, 2017