View Full Version : Old Adobe updates/advisories
AplusWebMaster
2008-03-28, 19:02
FYI...
- http://www.securityfocus.com/news/11511
2008-03-28 - "Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears.. While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals... Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds... until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users... Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack..."
* http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html
"Adobe is planning to release a security update for Flash Player 9 in April 2008 to strengthen the security of Adobe Flash Player for our customers and end users... This security update will make the optional socket policy file changes introduced in Flash Player 9,0,115,0 mandatory..."
:fear::spider:
AplusWebMaster
2008-04-09, 04:57
FYI...
Flash Player version 9.0.124.0 released
- http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
APSB08-11 Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/security/bulletins/apsb08-11.html
04/08/2008 - "Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system...
Affected software versions:
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier..."
Severity rating:
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."
Installation instructions:
- http://www.adobe.com/products/flashplayer/productinfo/instructions/
Test:
- http://www.adobe.com/products/flash/about/
- http://secunia.com/advisories/28083/
Release Date: 2008-04-09
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Flash Player 9.x ...
...The vulnerabilities are reported in versions prior to 9.0.124.0...
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5275
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1655 ...
:fear:
AplusWebMaster
2008-06-04, 15:51
FYI...
- http://blogs.zdnet.com/security/?p=1236
June 3, 2008 - "...Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level... the statistics confirmed the low percentage of up-to-date Flash players.
Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51
Remember, this is still 7 weeks after the update was released... After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability... How does the average user know that they should update Flash and how to do so? By reading the trade press? Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible. As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn..."
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
May 27, 2008
:fear::spider::fear:
AplusWebMaster
2008-10-08, 14:07
FYI...
- http://www.adobe.com/support/security/advisories/apsa08-08.html
Release date: October 7, 2008
Vulnerability identifier: APSA08-08
Platform: All Platforms
Affected Software: Adobe Flash Player 9.0.124.0 and earlier
...To prevent this potential issue, customers can change their Flash Player settings as follows:
1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and/or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html ...
---
- http://blogs.adobe.com/psirt/2008/10/clickjacking_security_advisory.html
October 7, 2008
- http://secunia.com/advisories/32163
Release Date: 2008-10-08
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503
Last revised: 10/11/2008
//
AplusWebMaster
2008-10-15, 16:07
FYI...
Adobe Flash Player v10.0.12.36 released
- http://www.adobe.com/go/getflashplayer
October 15, 2008
Understanding the security changes in Flash Player 10
- http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_print.html
Modified: 15 October 2008
Flash Player installation instructions
- http://www.adobe.com/products/flashplayer/productinfo/instructions/
...Installation instructions for Windows Internet Explorer... "may require administrative access to your PC..."
...Installation instructions for Windows non-Internet Explorer... "may require administrative access to your PC..."
Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/security/bulletins/apsb08-18.html
Release date: October 15, 2008 ...
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform...
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier...
- http://www.us-cert.gov/current/archive/2008/10/16/archive.html#adobe_releases_security_bulletin_for
October 16, 2008
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4324
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6243
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3873
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4401
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503
Test your current install: http://www.adobe.com/products/flash/about/
:fear::spider:
AplusWebMaster
2008-11-06, 14:00
FYI...
Flash Player multiple vulns - updates available
- http://www.adobe.com/support/security/bulletins/apsb08-20.html
Release date: November 5, 2008
Vulnerability identifier: APSB08-20
CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823 ...
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page* ...
* http://www.adobe.com/products/flash/about/
Solution: Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center**, or by using the auto-update mechanism within the product when prompted.
** http://www.adobe.com/go/getflashplayer
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link***.
*** http://www.adobe.com/go/kb406791
Severity rating: Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4818
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4819
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4820
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4821
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4823
:fear:
AplusWebMaster
2008-11-18, 13:07
FYI...
Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-22.html
Release date: November 17, 2008
Vulnerability identifier: APSB08-22
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4824
Platform: All Platforms
:fear:
AplusWebMaster
2008-12-18, 04:42
FYI...
Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-24.html
Release date: December 17, 2008
Vulnerability identifier: APSB08-24
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5499
Platform: Linux ...
Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center*, or by using the auto-update mechanism within the product when prompted.
* http://get.adobe.com/flashplayer
For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0**, which can be downloaded from the following link...
http://www.adobe.com/go/kb406791
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 10.0.15.3...
SUSE update for flash-player
- http://secunia.com/advisories/33294/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Original Advisory: SUSE-SA:2008:059:
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00006.html
Red Hat update for flash-plugin
- http://secunia.com/advisories/33267/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-1047.html ...
:fear:
AplusWebMaster
2009-02-20, 12:01
FYI...
Acrobat [Reader] 0-Day On the Loose
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
2009-02-19 - "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9)... We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript ... Adobe has since issued a public advisory* about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after..."
* http://www.adobe.com/support/security/advisories/apsa09-01.html
February 19, 2009 - "...Adobe categorizes this as a critical issue..."
- http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue.html
February 19, 2009 09:18 PM
:fear::mad:
AplusWebMaster
2009-02-20, 18:45
More on this:
- http://preview.tinyurl.com/bp67qy
February 20, 2009 Security Fix - "...In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable...
Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future." Also, Symantec has now posted its writeup on this flaw*, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations..."
* http://preview.tinyurl.com/cajqre
02-20-2009 Symantec Security Response Blog
* http://preview.tinyurl.com/cqs68s
February 12, 2009 Symantec Security Response - "... The Trojan opens a backdoor on the compromised computer. It then contacts the following remote host in order to steal information from the compromised computer: js001 .3322 .org ..."
- http://secunia.com/advisories/33901/
Release Date: 2009-02-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
:fear::fear:
AplusWebMaster
2009-02-22, 13:27
FYI...
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221
21 February 2009 - "...Work Arounds & Windows Group Policy Object (GPO)
As we mentioned the main work around for this is to disable JavaScript. Acrobat will still crash but the exploit should fail. While all platforms are reportedly affected, we should note that we have only seen active exploits for Windows and not Linux or OS X platforms. Once again to disable JavaScript in Acrobat [Reader], take the following steps:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
Elazar Broad also wrote into us the other day and provided a GPO that can be used to disable JavaScript for Adobe Acrobat [Reader]. We have not tested it but you can grab it by clicking here*. Basically these are the keys of interest (from HKEY_CURRENT_USER):
Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Setting the DWORD "bEnableJS" to 0 will disable JavaScript...
Details Released
We knew it would not take too long - the details of the vulnerable function and enough information to potentially recreate the exploit have now been published publicly... Expect that a wider set of attackers will now start using this exploit in the near future before the patch is released. In other words... DISABLE JAVASCRIPT and patch as soon as it becomes available!"
* http://www.shadowserver.org/wiki/uploads/Calendar/adobe.txt
- http://www.kb.cert.org/vuls/id/905281
Last Updated: 2009-02-23
:fear:
AplusWebMaster
2009-02-25, 14:22
FYI...
Flash Player v10.0.22.87 released
- http://www.adobe.com/support/security/bulletins/apsb09-01.html
Release date: February 24, 2009
Vulnerability identifier: APSB09-01
CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521
Platform: All Platforms...
Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.22.87*...
* http://www.adobe.com/go/getflash -or- http://get.adobe.com/flashplayer/otherversions/
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link**...
** http://www.adobe.com/go/kb406791
Version test for Adobe Flash Player
- http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507
:fear::fear:
AplusWebMaster
2009-03-11, 10:28
FYI...
Security Updates available for Adobe Reader 9 and Acrobat 9
- http://www.adobe.com/support/security/bulletins/apsb09-03.html
Release date: March 10, 2009
Vulnerability identifier: APSB09-03
CVE number: CVE-2009-0658
Platform: All Platforms...
Affected software versions:
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions
Solution: Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
- http://get.adobe.com/reader/
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374
Severity rating:
Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations...
> http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.html
:fear:
AplusWebMaster
2009-03-18, 23:14
FYI...
- http://isc.sans.org/diary.html?storyid=6034
Last Updated: 2009-03-18 20:04:58 UTC - "Adobe has released security advisory APSB09-04* for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available..."
* http://www.adobe.com/support/security/bulletins/apsb09-04.html
Release date: March 18, 2009 - "... Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh ..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0658
Last revised: 03/06/2009
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927
Last revised: 03/19/2009
- http://www.eset.com/threat-center/blog/?p=805
March 20, 2009 - "...updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it..."
:fear:
AplusWebMaster
2009-04-22, 14:50
FYI...
- http://www.pcworld.com/article/163574/ditch_adobe_reader_for_better_security.html
Apr 21, 2009 - "... In 2008, from Jan. 1 through April 16, F-Secure saw PDFs used in 128 dangerous drive-by attacks. This year, during the same time frame, the company has seen 2,305 drive-by's using PDFs. Such attacks go after a vulnerable Reader browser plugin... Poisoned PDFs are also often used as part of a customized, targeted attack, he says, when they're sent to a specifically selected recipient attached to a well-crafted e-mail. Hypponen didn't recommend any particular alternative program, but suggested heading to http://www.pdfreaders.org for a list of free apps. He did point out that at the time of IE 6's security infamy, many switched over to using Firefox. And as that browser gained significant market share, it also drew the hacker's eye..."
Another freeware alternative: Foxit PDF Reader
- http://www.foxitsoftware.com/pdf/reader/download.php
:fear::sad:
AplusWebMaster
2009-04-29, 16:19
FYI...
- http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
April 28, 2009 - "... All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit >Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
... Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740*..."
* http://www.securityfocus.com/bid/34740/info
Updated: Apr 29 2009
- http://isc.sans.org/diary.html?storyid=6286
Last Updated: 2009-04-29 03:22:48 UTC
- http://www.f-secure.com/weblog/archives/00001671.html
April 29, 2009
- http://www.adobe.com/support/security/advisories/apsa09-02.html
May 1, 2009 - "...Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009..."
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1493
:fear::spider::fear:
AplusWebMaster
2009-05-07, 17:43
FYI...
- http://www.f-secure.com/weblog/archives/00001676.html
May 6, 2009 - "... we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009. In 2008 we identified about 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%... So far in 2009 we have found 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat Reader than in the Microsoft Office applications... More info about targeted attacks and how they work can be found in our YouTube video*."
(Charts available at the URL above.)
* http://www.youtube.com/watch?v=nFw9ZHy0V3c
:fear:
AplusWebMaster
2009-05-13, 05:44
FYI...
Security Updates available for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb09-06.html
May 12, 2009 - "...Adobe recommends users of Adobe Reader 9.1 and Acrobat 9.1 and earlier versions update to Adobe Reader 9.1.1 and Acrobat 9.1.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.5, and users of Acrobat 7 update to Acrobat 7.1.2. For Adobe Reader users who can’t update to Adobe Reader 9.1.1, Adobe has provided the Adobe Reader 8.1.5 and Adobe Reader 7.1.2 updates.
Affected software versions: Adobe Reader 9.1 and earlier versions. Adobe Acrobat Standard, Pro, and Pro Extended 9.1 and earlier versions.
Solution
Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
Adobe Reader and Acrobat 9.1.1, 8.1.5 and 7.1.2 Release Notes
- http://kb2.adobe.com/cps/490/cpsid_49013.html
May 12, 2009
:fear:
AplusWebMaster
2009-06-10, 13:52
FYI...
Adobe Reader and Acrobat updated
- http://www.adobe.com/support/security/bulletins/apsb09-07.html
June 9, 2009
"Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh .
Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows .
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ...
Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities...
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
- http://secunia.com/advisories/34580/2/
Release Date: 2009-06-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Original Advisory: Secunia Research: http://secunia.com/secunia_research/2009-24/
Adobe: http://www.adobe.com/support/security/bulletins/apsb09-07.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0509
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0510
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0511
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0512
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0888
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0889
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1855
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1856
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1857
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1858
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1859
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1861
:fear:
AplusWebMaster
2009-06-17, 07:39
FYI...
Adobe Reader UNIX update v9.1.2
- http://www.adobe.com/support/security/bulletins/apsb09-07.html
June 16, 2009 - Bulletin updated with link to Adobe Reader UNIX update...
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix ..."
:fear:
AplusWebMaster
2009-06-24, 07:24
FYI...
Shockwave Player vuln - update v11.5.0.600 available
- http://www.adobe.com/support/security/bulletins/apsb09-08.html
June 23, 2009 - "A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system... To resolve this issue, Shockwave Player users on Windows should -uninstall- Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/ . This issue is remotely exploitable..."
- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
June 25, 2009 - "...Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1860
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2186
- http://secunia.com/advisories/35544/2/
Release Date: 2009-06-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 11.x ...
Solution: Uninstall versions prior to 11.5.0.600, restart the system, and install version 11.5.0.600:
http://get.adobe.com/shockwave/
- http://www.us-cert.gov/current/#adobe_releases_update_for_shockwave
June 24, 2009
:fear:
AplusWebMaster
2009-07-09, 04:34
FYI...
Hotfix available for potential ColdFusion 8 input sanitization issue
- http://www.adobe.com/support/security/bulletins/apsb09-09.html
July 8, 2009 - "... Adobe recommends affected ColdFusion customers update their installation using the instructions below:
NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1*
* http://www.adobe.com/support/coldfusion/downloads_updates.html#cf8 ...
Severity rating: Adobe categorizes this as a critical issue and recommends affected users patch their installations..."
Revisions: July 9, 2009 - Bulletin updated with Acknowledgment and information on ColdFusion 8.0 hotfix
(More detail and links at the first URL above.)
- http://secunia.com/advisories/35747/2/
Release Date: 2009-07-09
Critical: Highly critical
Impact: Exposure of system information, Exposure of sensitive information, System access
Solution: Update to version 8.0.1 and apply hot fix...
- http://blog.trendmicro.com/coldfusion-spurs-another-mass-compromise/
July 8, 2009
:fear:
AplusWebMaster
2009-07-23, 03:29
FYI...
- http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
July 21, 2009 - "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."
> http://isc.sans.org/diary.html?storyid=6847
Last Updated: 2009-07-22 22:26:39 UTC ...(Version: 3) - "... the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well. And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal*)...
UPDATE: At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected. It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is -confirmed- to work)."
* http://preview.tinyurl.com/l3wg89
File 34d6452000e1a9e0308702d082c897008a0481b0.EXE received on 2009.07.22 16:49:07 (UTC)
Result: 7/41 (17.07%)
- http://www.us-cert.gov/current/#adobe_reader_acrobat_and_flash
- http://www.kb.cert.org/vuls/id/259425
2009-07-22
- http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
June 12, 2009
> FixIt4Me - Enable DEP for Office
> FixIt4Me - Enable DEP for IE
- http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/
22 July 2009
Update on Adobe Reader, Acrobat and Flash Player Issue
- http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html
July 22, 2009 7:08 PM
:fear::fear:
AplusWebMaster
2009-07-23, 17:16
FYI...
- http://www.adobe.com/support/security/advisories/apsa09-03.html
July 22, 2009 - "... We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009..."
- http://securitylabs.websense.com/content/Alerts/3449.aspx
07.23.2009
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1862
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2580
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.securityfocus.com/bid/35759/info
Updated: Jul 23 2009
- http://bugs.adobe.com/jira/browse/FP-1265
Created: 12/31/08
- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-072209-2512-99&tabid=2
Discovered: July 22, 2009 - "...The Trojan arrives in a specially crafted .pdf file that exploits a vulnerability in Adobe Flash Player. When executed the Trojan drops the following files on the compromised computer:
* %Temp%\SUCHOST.EXE (Trojan Horse)
* %Temp%\TEMP.EXE (A non-malicious file.)
Note: The SUCHOST.EXE file may open a back door that connects to the following domains:
* http ://aop1.homelinux .com
* http ://connectproxy.3322 .org
* http ://csport.2288 .org ..." [DO NOT VISIT]
:eek:
AplusWebMaster
2009-07-28, 23:21
FYI...
- http://www.adobe.com/support/security/advisories/apsa09-04.html
July 28, 2009 - "Adobe Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This critical vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.
Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are -not- vulnerable. We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows by July 30, 2009.
Users should consider installing MS09-034*. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035**..."
* http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
** http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- http://secunia.com/advisories/35948/2/
Solution Status: Unpatched
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Changelog: 2009-07-29: Added information about control having been built using a vulnerable version of ATL.
:fear:
AplusWebMaster
2009-07-29, 06:43
FYI...
Adobe Shockwave v11.5.1.601 released
- http://www.adobe.com/support/security/bulletins/apsb09-11.html
July 28, 2009 - "...Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ .
Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
Once again ...
- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 10.x, Shockwave Player 11.x, Shockwave Player 8.x, Shockwave Player 9.x
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb09-11.html ...
- http://www.us-cert.gov/current/#adobe_releases_shockware_player_11
updated July 31, 2009
Test site: http://www.adobe.com/shockwave/welcome/
:fear:
AplusWebMaster
2009-07-31, 02:23
FYI...
Flash Player v10.0.32.18 released
- http://get.adobe.com/flashplayer/
July 30, 2009 - Browser: Firefox, Safari, Opera
install_flash_player.exe
- http://get.adobe.com/flashplayer/otherversions/
July 30, 2009 - Internet Explorer
install_flash_player_ax.exe
Adobe Flash Player
- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Release date: July 30, 2009
CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870
"... Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2*... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
* http://get.adobe.com/air/
Adobe AIR 1.5.2 Installer - Windows , English | 15.1 MB
___
- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Revisions:
July 31, 2009 - Bulletin updated with Adobe Reader and Acrobat updates, and correct Adobe Flash Player 9 download link.
... http://www.adobe.com/support/flashplayer/downloads.html#fp9
___
- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Last revised: August 3, 2009 - "... Adobe recommends all users of Adobe Flash Player... upgrade to the newest version 10.0.32.18..."
- http://secunia.com/advisories/35948/2/
Last Update: 2009-08-10
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Solution: Update to Flash Player 9.0.246.0 or 10.0.32.18 and Adobe AIR version 1.5.2.
Flash Player version 10.0.32.18: http://www.adobe.com/go/getflashplayer ...
Adobe AIR version 1.5.2. http://get.adobe.com/air ...
- http://www.adobe.com/support/security/bulletins/apsb09-11.html
Release date: July 28, 2009 - "... Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ ..."
- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical ...
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Test both here: http://www.adobe.com/shockwave/welcome/
AplusWebMaster
2009-07-31, 22:36
FYI...
Adobe Reader v9.1.3 - Acrobat v9.1.3 released
- http://www.adobe.com/support/security/advisories/apsa09-03.html
Last Updated: July 31, 2009
"...Adobe Reader
Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date...
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
... Adobe Reader 9.1.3 update - Multiple Languages | 1.6MB | 7/31/2009 ...
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
... Adobe Acrobat 9.1.3 Professional and Standard Update - Multiple Languages 1.6MB | 7/31/2009
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating
Adobe categorizes these as critical issues and recommends affected users patch their installations..."
:fear:
AplusWebMaster
2009-08-18, 15:00
FYI...
Adobe ColdFusion / JRun multiple vulns - updates available
- http://secunia.com/advisories/36329/2/
Release Date: 2009-08-18
Critical: Moderately critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe ColdFusion 8.x, Adobe ColdFusion MX 7.x, Macromedia Jrun 4.x ...
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-12.html
"... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
- http://www.us-cert.gov/current/index.html#adobe_releases_hotfixes_for_coldfusion
August 18, 2009
- http://www.adobe.com/support/security/bulletins/apsb09-12.html
August 21, 2009 - Bulletin updated with additional information regarding CVE-2009-1876.
> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1872_1877.txt
"ColdFusion... hotfix includes fixes for CVE-2009-1872, CVE-2009-1877..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1872
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1877
> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1875.txt
"ColdFusion... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1875
> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1876.txt
"ColdFusion... fix for CVE-2009-1876..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1876
> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1878.txt
"... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1.."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1878
> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1873_1874.txt
"JRun... fixes for CVE-2009-1873, CVE-2009-1874..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1873
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1874
:fear::fear:
AplusWebMaster
2009-08-26, 16:42
FYI...
Sites pulling sneaky Flash cookie-snoop
- http://www.theregister.co.uk/2009/08/19/flash_cookies/
19 August 2009 - "Many websites are using Flash-based cookies to track users, but often omit to mention this in their privacy policies... Browser-based cookies constitute a well understood and widely deployed technology that poses serious questions about privacy, depending on its usage. What's far less well known is that Adobe Flash software also features cookies that can be used in much the same way as HTTP cookies. Flash cookies can be used for storing the volume level of a Flash video but the technology can also be used as "secondary, redundant unique identifiers that enable advertisers to circumvent user preferences and self-help"... researchers conclude that Flash cookies are more effective at tracking users' visits around websites than traditional HTTP cookies because they operate in the shadows and are infrequently removed. By default Flash cookies have no built-in expiration date. Browser-based actions such as deleting browser histories or switching to private mode does not affect the operation of Flash cookies..."
- https://addons.mozilla.org/firefox/addon/6623
Better privacy - "... Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you. Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion..."
> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
:fear:
AplusWebMaster
2009-09-03, 13:58
FYI...
Sun Solaris Adobe Flash Player Multiple vuln - update available
- http://secunia.com/advisories/36518/2/
Release Date: 2009-09-03
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
OS: Sun Solaris 10
Solution: Apply patches.
-- SPARC Platform --
Solaris 10: Apply patch 125332-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
-- x86 Platform --
Solaris 10: Apply patch 125333-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
"... issues can occur in Adobe Flash Player 9.0.159.0 and earlier 9.x versions and 10.0.22.87 and earlier 10.x versions..."
:fear:
AplusWebMaster
2009-10-08, 23:51
FYI...
Adobe Reader/Acrobat vuln - unpatched
- http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
October 8, 2009 - "Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update*, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date..."
* http://www.adobe.com/support/security/bulletins/apsb09-15.html
- http://secunia.com/advisories/36983/2/
Release Date: 2009-10-09
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
- http://blog.trendmicro.com/new-adobe-zero-day-exploit/
Oct. 9, 2009 - "... users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:
1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK..."
:fear:
AplusWebMaster
2009-10-14, 00:49
FYI...
Adobe Reader 9.2 and Acrobat 9.2 released
- http://www.adobe.com/support/security/bulletins/apsb09-15.html
October 13, 2009 - "... This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459*)... Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX...
Solution:
Adobe Reader
- Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
- Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
- Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Acrobat
- Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
- Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
- Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
- Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3459
Last revised: 10/13/2009
CVSS v2 Base Score: 9.3 (HIGH)
Adobe Plugs 29 Critical Reader, Acrobat Holes
- http://voices.washingtonpost.com/securityfix/2009/10/adobe_plugs_critical_reader_ac.html
October 13, 2009
CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462
- http://blogs.adobe.com/psirt/2009/10/second_quarterly_security_upda.html
October 13, 2009
:fear:
AplusWebMaster
2009-11-04, 05:25
FYI...
Adobe Shockwave Player v11.5.2.602 released
- http://www.adobe.com/support/security/bulletins/apsb09-16.html
Release date: November 3, 2009
Affected software versions: Shockwave Player 11.5.1.601 and earlier versions
Solution: Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here:
http://get.adobe.com/shockwave/
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
CVE number:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3244
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3463
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3464
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3465
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3466
Platform: Windows and Macintosh
Once again, still ...
- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
Test site:
- http://www.adobe.com/shockwave/welcome/
- http://secunia.com/advisories/37214/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 11.5.2.602...
- http://news.techworld.com/security/3205708/adobe-patches-five-critical-shockwave-player-bugs/
"... installed on some 450 million PCs..."
:fear:
AplusWebMaster
2009-12-04, 06:13
FYI...
Pre-Notification - Security Update for Adobe Flash Player
- http://www.adobe.com/support/security/bulletins/apsb09-19.html
December 3, 2009 - "Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Adobe expects to make these updates available on December 8, 2009...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions
Severity rating: Adobe categorizes these as critical updates."
Also see: Adobe Illustrator
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4195
- http://www.adobe.com/support/security/advisories/apsa09-06.html
December 07, 2009 - "... Adobe plans to make available an update to Adobe Illustrator to resolve the issue by January 8, 2010. Adobe recommends customers avoid opening .eps files from unknown or untrusted sources in Illustrator until a patch is available..."
:fear:
AplusWebMaster
2009-12-09, 04:26
FYI...
Flash Player v10.0.42.34 released
- http://www.adobe.com/support/security/bulletins/apsb09-19.html
December 8, 2009 - "... All Platforms...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions...
Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...
CVE numbers: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951 ..."
- http://www.adobe.com/support/security/bulletins/apsb09-19.html
Revisions: December 10, 2009 - Bulletin updated with corrected version numbers in Details section and link to Flash Player 9 under Solution.
"... For users who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.260, which can be downloaded from the following link:
http://www.adobe.com/go/kb406791 "
- http://get.adobe.com/flashplayer/
Browser: Firefox, Safari, Opera - install_flash_player.exe
- http://get.adobe.com/flashplayer/otherversions/
Internet Explorer - install_flash_player_ax.exe
- http://get.adobe.com/air/
- http://secunia.com/advisories/37584/2/
Release Date: 2009-12-09
Critical: Highly critical
Impact: Exposure of system information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x ...
Solution: Update to Flash Player version 10.0.42.34 and AIR version 1.5.3...
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-19.html
:fear:
AplusWebMaster
2009-12-15, 11:56
FYI...
0-day Adobe Reader and Acrobat exploit in the wild
- http://www.symantec.com/connect/blogs/zero-day-xmas-present
December 14, 2009 - "Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed -confirmed- the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H*. We have reported our findings to Adobe who have acknowledged the vulnerability in this blog**..."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-121422-3337-99
** http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
December 14, 2009 - "... vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)..."
- http://secunia.com/advisories/37690/2/
Last Update: 2009-12-16
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, Adobe Reader 9.x ...
...Fixed versions will reportedly be available by January 12, 2010*..."
* http://www.adobe.com/support/security/advisories/apsa09-07.html
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214
December 14, 2009 - "... this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself...
Disable JavaScript. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
... we strongly recommend you disable JavaScript..."
:fear::fear:
AplusWebMaster
2009-12-16, 13:30
FYI...
Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/advisories/apsa09-07.html
December 15, 2009 - "... Adobe has confirmed a -critical- vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions... Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue...
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote* for more information. Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Customers using Microsoft DEP ("Data Execution Prevention") functionality available in certain versions of Microsoft Windows are at reduced risk..."
* http://kb2.adobe.com/cps/532/cpsid_53237.html
:fear:
AplusWebMaster
2009-12-29, 17:59
FYI...
(0-day ...updated) Adobe Reader/Acrobat memory corruption vulns
- http://secunia.com/advisories/37690/
Last Update: 2009-12-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
Software: Adobe Acrobat... Reader...
Description:
-Two- vulnerabilities have been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system.
1) An error in the implementation of the "Doc.media.newPlayer()" JavaScript method can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file.
NOTE: This vulnerability is currently being actively exploited.
2) An array indexing error exists in 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. This can potentially be exploited to corrupt memory and execute arbitrary code via a PDF file containing a specially crafted U3D model.
The vulnerabilities are confirmed in version 9.2. Other versions may also be affected...
- http://secunia.com/advisories/37690/2/
"... Solution:
> Do not open untrusted PDF files. Do not browse untrusted websites or follow untrusted links.
> Use the JavaScript Blacklist functionality* to block the "Doc.media.newPlayer()" method. Please see the vendor's advisory for more information.
> Versions fixing vulnerability #1 will reportedly be available by January 12, 2010...
2009-12-29: Added vulnerability #2 to the advisory..."
* http://www.adobe.com/support/security/advisories/apsa09-07.html
"... Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat..."
:fear::fear:
AplusWebMaster
2010-01-13, 03:12
FYI...
Adobe Reader v9.3 released
- http://www.adobe.com/support/security/bulletins/apsb10-02.html
January 12, 2010 - "... Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh update to Acrobat 8.2. For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. Updates apply to all platforms: Windows, Macintosh and UNIX...
- http://get.adobe.com/reader
CVE numbers: CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957, CVE-2009-3958, CVE-2009-3959, CVE-2009-4324
Platform: All ...
Severity rating:
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
Release notes:
- http://kb2.adobe.com/cps/520/cpsid_52073.html
- http://secunia.com/advisories/38138/2/
Release Date: 2010-01-13 - "... Support has ended for Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh, and UNIX...
Solution: ...Upgrade to version 8.2 or 9.3..."
:fear::fear:
AplusWebMaster
2010-01-18, 16:40
FYI...
Targeted (PDF) attacks...
- http://www.f-secure.com/weblog/archives/00001859.html
January 18, 2010 - "F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were emailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week. The PDF file was quite convincing and it looked like it came from the Department of Defense... The document talks about a real conference to be held in Las Vegas in March. When opened to Adobe Reader, the file exploited the CVE-2009-4324* vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday. The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 140.136.148.42. In order to avoid detection, it bypasses the local web proxy when doing this connection. Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324
"... Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X..."
(Screenshots available at the F-secure URL above.)
:mad:
AplusWebMaster
2010-01-20, 04:38
FYI...
Shockwave v11.5.6.606 released
- http://www.adobe.com/support/security/bulletins/apsb10-03.html
Release date: January 19, 2010
CVE number: CVE-2009-4002, CVE-2009-4003
Platform: Windows and Macintosh
"... Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606, available here: http://get.adobe.com/shockwave/ ... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
- http://news.techworld.com/security/3205708/adobe-patches-five-critical-shockwave-player-bugs/
"... installed on some 450 million PCs..."
- http://secunia.com/advisories/37888/2/
Release Date: 2010-01-20
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Director 11.x, Adobe Shockwave Player 11.x
Solution: Update to Shockwave version 11.5.6.606.
:fear:
AplusWebMaster
2010-02-12, 14:26
FYI...
Adobe Flash Player Domain Sandbox Bypass Vuln
- http://secunia.com/advisories/38547/
Release Date: 2010-02-12
Criticality level: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash CS3, Adobe Flash CS4, Adobe Flash Player 10.x, Adobe Flex 3.x
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb10-06.html
"...Details:
A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187).
Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2.
- http://get.adobe.com/flashplayer/
*Adobe recommends all users of Adobe AIR version 1.5.3.9120 and earlier update to the newest version 1.5.3.9130..."
- http://get.adobe.com/air/
Revisions: February 12, 2010 - Bulletin updated with corrected version numbers for AIR.*
- http://atlas.arbor.net/briefs/index#1106299496
February 15, 2010 - "High Severity... Analysis: This is a serious issue that we encourage all sites to schedule an update..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0186
Last revised: 02/26/2010
Flash Player before 10.0.45.2, AIR before 1.5.3.9130...
CVSS v2 Base Score: 6.8 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0187
Last revised: 02/26/2010
Flash Player before 10.0.45.2, AIR before 1.5.3.9130...
CVSS v2 Base Score: 4.3 (MEDIUM)
Adobe Products XML Processing Information Disclosure
- http://secunia.com/advisories/38543/
Release Date: 2010-02-12
Criticality level: Moderately critical
Impact: Exposure of system information, Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch
Software: Adobe BlazeDS 3.x, Adobe ColdFusion 8.x, Adobe ColdFusion 9.x, Adobe ColdFusion MX 7.x, Adobe Flex Data Services 2.x, Adobe LiveCycle 8.x, Adobe LiveCycle 9.x, Adobe LiveCycle Data Services 2.x, Adobe LiveCycle Data Services 3.x
Solution: Apply patches. Please see the vendor's advisory for required installation steps.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb10-05.html
"... Summary:
An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3960
Last revised: 02/26/2010
BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0...
CVSS v2 Base Score: 4.3 (MEDIUM)
:fear:
AplusWebMaster
2010-02-17, 01:30
FYI...
Adobe Reader/Acrobat critical update released
- http://www.adobe.com/support/security/bulletins/apsb10-07.html
February 16, 2010 - "... this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.)
Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.
Affected software versions:
Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh
Solution: Adobe Reader:
Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/products/reader/unix9/ (download latest update from 9.3.1 folder)...
Adobe Acrobat:
Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Severity rating:
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
Last revised: 02/26/2010
Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1...
CVSS v2 Base Score: 10.0 (HIGH)
- http://secunia.com/advisories/38551/
Last Update: 2010-02-17
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x, Adobe Acrobat 9.x, Adobe Reader 8.x, Adobe Reader 9.x
Solution: Update to version 8.2.1 or 9.3.1.
- http://blog.trendmicro.com/adobe-releases-out-of-band-patch-for-adobe-reader-and-acrobat/
Feb. 21, 2010
:fear::fear:
AplusWebMaster
2010-02-24, 04:15
FYI...
Adobe Download Manager - critical update
- http://www.adobe.com/support/security/bulletins/apsb10-08.html
February 23, 2010 - "Summary:
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system. Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions in the Solution section below.
Affected software versions:
Adobe Download Manager on Windows (prior to February 23, 2010)
> Solution:
Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions below:
• Ensure that the C:\Program Files\NOS\ folder and its contents ("NOS files") are not present on your system. (If the folder is present, follow the steps below to remove).
• Click "Start" > "Run" and type "services.msc". Ensure that "getPlus(R) Helper" is not present in the list of services.
If the NOS files are found, the Adobe Download Manager issue can be mitigated by:
• Navigating to Start > Control Panel > Add or Remove Programs > Adobe Download Manager, and selecting Remove to remove the Adobe Download Manager from your system.
-OR-
• Clicking "Start" > "Run" and typing "services.msc". Then deleting "getPlus(R) Helper" from the list of services.
• Then delete the C:\Program Files\NOS\ folder and its contents.
This issue is resolved as of February 23, 2010, and no action is required for future downloads of Adobe Reader from http://get.adobe.com/reader/ or Adobe Flash Player from http://get.adobe.com/flashplayer/.
> Severity rating:
Adobe categorizes this as a critical update. Users can remove potentially vulnerable installations of the Adobe Download Manager using the instructions in the Solution section above.
Details:
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system.
The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next computer restart. However, Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine using the instructions in the Solution section above."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0189
Last revised: 03/02/2010
getPlus Download Manager (aka DLM or Downloader) 1.5.2.35...
CVSS v2 Base Score: 10.0 (HIGH)
- http://secunia.com/advisories/38729/
Release Date: 2010-02-24
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Adobe GetPlus DLM 1.x
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-08.html
- http://blog.trendmicro.com/new-adobe-download-manager-bug/
Feb. 24, 2010
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=856
02.23.10
... DISCLOSURE TIMELINE
06/09/2009 Initial Vendor Notification
06/09/2009 Initial Vendor Reply
02/23/2010 Coordinated Public Disclosure
:fear:
AplusWebMaster
2010-04-09, 05:46
FYI...
Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb10-09.html
April 8, 2010 - "Adobe is planning to release updates for Adobe Reader 9.3.1 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.1 for Windows and Macintosh, and Adobe Reader 8.2.1 and Acrobat 8.2.1 for Windows and Macintosh to resolve critical security issues. Adobe expects to make these quarterly updates available on April 13, 2010. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt * ..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4764
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1241
* http://blogs.adobe.com/psirt/2010/04/pre-notification_-_quarterly_s_2.html
April 8, 2010 - "A Security Advisory has been posted in regards to the upcoming Adobe Reader and Acrobat updates scheduled for April 13, 2010. The updates will address critical security issues in the products. This quarterly security update will be made available for Windows, Macintosh and UNIX. With this quarterly update, we are enabling the new updater first shipped in a passive state with the October quarterly security update. For more information, please refer to the Adobe Reader blog**...."
** http://blogs.adobe.com/adobereader/2010/04/upcoming_adobe_reader_and_acro.html
April 8, 2010
:fear:
AplusWebMaster
2010-04-13, 21:41
FYI...
Security update available for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb10-09.html
April 13, 2010 - "... Adobe recommends users of Adobe Reader 9.3.1 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.2. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.2, Adobe has provided the Adobe Reader 8.2.2 update.) Adobe recommends users of Adobe Acrobat 9.3.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.2. Adobe recommends users of Acrobat 8.2.1 and earlier versions for Windows and Macintosh update to Acrobat 8.2.2...
... Users can utilize the product's automatic update feature...
... users on Windows/Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/new.jsp
... Unix users here:
- http://www.adobe.com/products/reader/unix9/
(download latest update from 9.3.2 folder)
CVE numbers: CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193, CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197, CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202, CVE-2010-0203, CVE-2010-0204, CVE-2010-1241
Platform: All Platforms
- http://secunia.com/advisories/39272/
Release Date: 2010-04-14
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x, Adobe Acrobat 9.x, Adobe Reader 8.x, Adobe Reader 9.x
Solution: Update to version 9.3.2 or 8.2.2.
- http://atlas.arbor.net/briefs/index#-69029221
April 20, 2010 - "Analysis: We have seen exploit code used for some of these bugs, most notably with the Zeus botnet. We encourage all sites to update their Adobe PDF viewers immediately to address these issues."
:fear:
AplusWebMaster
2010-05-01, 05:06
FYI...
Security issues in Adobe Photoshop CS4 11.0.0
- http://www.adobe.com/support/security/bulletins/apsb10-10.html
April 30, 2010 - "Critical vulnerabilities have been identified in Photoshop CS4 that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system... Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.1 using the instructions below.
To verify the version of Adobe Photoshop CS4 currently installed, choose Help > About Adobe Photoshop CS4 from the Adobe Photoshop menu bar. To check for updates, choose Help > Updates from the Adobe Photoshop menu bar.
Photoshop CS4 customers can also find the Photoshop CS4 11.0.1 update for Windows or Macintosh here:
Adobe Photoshop CS4 11.0.1 update for Windows
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4292
Adobe Photoshop CS4 11.0.1 update for Macintosh
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4291
Note: These issues do not affect Photoshop CS5..."
- http://www.adobe.com/support/downloads/new.jsp
Adobe Photoshop CS4 TIFF File Processing vuln - update available
- http://secunia.com/advisories/39711/
Release Date: 2010-05-03
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to Photoshop CS4 11.0.1.
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1279
Adobe Photoshop -CS3- TIFF File Processing Vuln
- http://secunia.com/advisories/39709/
Release Date: 2010-05-05
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: -Unpatched-
Solution: Upgrade to a higher version.
:fear::fear:
AplusWebMaster
2010-05-12, 04:53
FYI...
Shockwave Player v11.5.7.609 released
- http://www.adobe.com/support/security/bulletins/apsb10-12.html
May 11, 2010 - "... Summary:
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided below.
Affected software versions: Shockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh
Solution: Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions upgrade to the newest version 11.5.7.609, available here:
- http://get.adobe.com/shockwave/
CVE number: CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987, CVE-2010-1280, CVE-2010-1281, CVE-2010-1282, CVE-2010-1283, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292
Platform: Windows and Macintosh
Adobe Shockwave Player Multiple Vulnerabilities
- http://secunia.com/advisories/38751/
Hotfixes available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb10-11.html
May 11, 2010 - "... Summary:
Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
Affected software versions: ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the following link:
- http://kb2.adobe.com/cps/841/cpsid_84102.html
CVE number: CVE-2009-3467, CVE-2010-1293, CVE-2010-1294
Platform: All Platforms ..."
Adobe ColdFusion Cross-Site Scripting and Information Disclosure
- http://secunia.com/advisories/39790/
:fear:
AplusWebMaster
2010-05-27, 04:19
FYI...
Photoshop CS4 v11.0.2 - security update
- http://www.adobe.com/support/security/bulletins/apsb10-13.html
May 26, 2010 - "Critical vulnerabilities have been identified in Photoshop CS4 11.0.1 and earlier for Windows and Macintosh that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system... Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.2, which resolves these issues.
Note: None of these issues affect Photoshop CS5.
To verify the version of Adobe Photoshop CS4 currently installed, choose Help > About Adobe Photoshop CS4 from the Adobe Photoshop menu bar. To check for updates,
choose Help > Updates from the Adobe Photoshop menu bar.
Photoshop CS4 customers can also find the Photoshop CS4 11.0.2 update for Windows or Macintosh here:
* Adobe Photoshop CS4 11.0.2 update for Windows
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4713
* Adobe Photoshop CS4 11.0.2 update for Macintosh
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4712 ..."
- http://secunia.com/advisories/39934/
Release Date: 2010-05-27
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 11.0.2...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
Last revised: 05/27/2010
:fear:
AplusWebMaster
2010-06-05, 15:50
FYI...
Adobe Flash/Acrobat/Reader vulns
___
Status update: Adobe vulnerabilities - exploits-in-the-wild ...
- http://www.adobe.com/support/security/advisories/apsa10-01.html
Last updated: June 8, 2010 - "... We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. The patch date for Flash Player 10.x for Solaris is still to be determined.
We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010..."
- http://atlas.arbor.net/briefs/index#-1218073436
Title: Adobe Flash, Reader, and Acrobat 0day authplay Vulnerability
Severity: Extreme Severity
June 09, 2010 - "Analysis: This is an active, critical issue being exploited in the wild. We have multiple sources of these attacks with minimal AV detection. We encourage sites to investigate remediation steps immediately to address this."
Source: http://www.us-cert.gov/cas/techalerts/TA10-159A.html
- http://www.f-secure.com/weblog/archives/00001963.html
June 8, 2010 - "... spam run pushing a PDF exploit... screenshot of the PDF attachment..."
Adobe 0-day used in targeted attacks
- http://community.websense.com/blogs/securitylabs/archive/2010/06/09/how-the-adobe-0-day-is-used-in-attacks.aspx
9 Jun 2010
- http://www.kb.cert.org/vuls/id/486225
Date Last Updated: 2010-06-09
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297
Last revised: 06/09/2010
CVSS v2 Base Score: 9.3 (HIGH)
Mitigations for Adobe vulnerability: CVE-2010-1297
- http://www.sophos.com/blogs/sophoslabs/?p=9954
June 8, 2010 - "...
1. Renaming authplay.dll: Our testing shows that this workaround, at least for this sample, works successfully (as claimed by Adobe). Acrobat will work normally on regular PDFs, but on exploited files (and potentially others with embedded SWF files), it will crash, but the exploit will fail.
2. Disabling JavaScript: As recommended previously, disabling JavaScript in Acrobat Reader is another workaround for this sample (since it relies on JavaScript to create the shellcode).
3. Alternative PDF reader: The exploit depends upon embedded SWF content, so PDF readers which ignore this ought to be safe..."
- http://www.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat
June 6, 2010 - "We have confirmed the attacks that are exploiting the vulnerability (CVE-2010-1297) Adobe announced on its security advisory* are in the wild. The exploit takes advantage of an unpatched vulnerability in Flash Player, Adobe Reader, and Acrobat, and affects users regardless of whether they use Windows, Macintosh, Solaris, Linux, or UNIX... Attacks can take place in various situations with a few listed below:
• Receiving an email with a malicious PDF attachment.
• Receiving an email with a link to the malicious PDF file or a website with the malicious SWF imbedded in malicious HTML code.
• Stumbling across a malicious PDF or SWF file when surfing the web..."
- http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/
June 5, 2010
- http://blog.trendmicro.com/zero-day-flashacrobat-exploit-seen-in-the-wild/
June 5, 2010
- http://blogs.adobe.com/psirt/2010/06/security_advisory_for_adobe_re.html
June 4, 2010
Adobe Flash Player vuln
- http://secunia.com/advisories/40026/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
NOTE: The vulnerability is reportedly being actively exploited.
Solution: Reportedly, the latest version 10.1 Release Candidate is not affected...
- http://labs.adobe.com/downloads/flashplayer10.html
Reported as a 0-day.
Original Advisory: Adobe:
* http://www.adobe.com/support/security/advisories/apsa10-01.html
Adobe Reader/Acrobat vuln
- http://secunia.com/advisories/40034/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
NOTE: The vulnerability is currently being actively exploited.
Solution: Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files...
Reported as a 0-day.
:fear::fear:
AplusWebMaster
2010-06-11, 02:26
FYI...
Adobe Flash v 10.1.53.64 released
- http://www.adobe.com/support/security/bulletins/apsb10-14.html
June 10, 2010 - "... Adobe recommends all users of Adobe Flash Player 10.0.45.2 and earlier versions upgrade to the newest version 10.1.53.64* by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted... Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64...
CVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189 ...
* http://www.adobe.com/products/flashplayer/productinfo/instructions/
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297
Last revised: 06/25/2010
CVSS v2 Base Score: 9.3 (HIGH)
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Test after install:
- http://www.adobe.com/software/flash/about/
... For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0:
- http://kb2.adobe.com/cps/406/kb406791.html
2010-06-10
- http://atlas.arbor.net/briefs/index#-151014831
Severity: Extreme Severity
... Exploit code is in circulation in the wild. Adobe has released APSB10-14 to address this issue.
Analysis: This is a key update for all Adobe users, and we encourage all sites to update as soon as possible.
- http://securitytracker.com/alerts/2010/Jun/1024085.html
Jun 11 2010
- http://secunia.com/advisories/40026/
Last Update : 2010-06-11
Criticality level: Extremely critical
Impact: Cross Site Scripting, System access
Where: From remote ...
Solution: Update to version 9.0.277.0 or 10.1.53.64.
Adobe AIR v2.0.2.12610
- http://get.adobe.com/air/
... http://secunia.com/advisories/40144/
Release Date: 2010-06-11
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Solution: Upgrade to version 2.0.2.12610...
- http://www.adobe.com/support/security/advisories/apsa10-01.html
Last updated: June 10, 2010 - "... We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010..."
:fear::fear:
AplusWebMaster
2010-06-30, 00:51
FYI...
Adobe Reader/Acrobat v9.3.3 released
- http://www.adobe.com/support/security/bulletins/apsb10-15.html
June 29, 2010 - CVE numbers: CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, CVE-2010-2212
Platform: All Platforms
Summary: Critical vulnerabilities have been identified in Adobe Reader/Acrobat 9.3.2... Adobe recommends users of Adobe Reader/Acrobat 9.3.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader/Acrobat 9.3.3. (For Adobe Reader/Acrobat users on Windows and Macintosh, who cannot update to Adobe Reader/Acrobat 9.3.3, Adobe has provided the Adobe Reader/Acrobat 8.2.3 update.)...
Adobe Reader/Acrobat - Users can utilize the product's automatic update feature. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates...
- http://www.adobe.com/support/downloads/new.jsp
- http://secunia.com/advisories/40034/
Last Update: 2010-06-30
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
NOTE: The vulnerability is currently being actively exploited...
Solution: Update to version 9.3.3 or 8.2.3.
- http://securitytracker.com/alerts/2010/Jun/1024159.html
Jun 29 2010
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
Last revised: 07/02/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Acrobat 9.x before 9.3.3, and 8.x before 8.2.3..."
- http://isc.sans.edu/diary.html?storyid=9112
Last Updated: 2010-07-02 02:43:08 UTC
:fear:
AplusWebMaster
2010-08-04, 16:20
FYI...
Adobe Reader 0-day, again...
- http://www.theregister.co.uk/2010/08/04/critical_adobe_reader_vuln/
4 August 2010 - "... yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files... Brad Arkin, senior director of product security and privacy at Adobe, said members of the company's security team attended Miller's talk and have since confirmed his claims that the vulnerability can lead to remote code execution. The team is in the process of developing a patch and deciding whether to distribute it during Adobe's next scheduled update release or as an “out-of-band” fix that would come out in the next few weeks..."
- http://blogs.adobe.com/adobereader/
- http://secunia.com/advisories/40766/
Last update: 2010-08-06
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
... Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in Adobe Reader versions 8.2.3 and 9.3.3 and Adobe Acrobat version 9.3.3. Other versions may also be affected...
- http://www.adobe.com/support/security/bulletins/apsb10-17.html
August 5, 2010 - "Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862... Adobe expects to make these updates available during the week of August 16, 2010... Note that these updates represent an out-of-band release. Adobe is currently scheduled to release the next quarterly security update for Adobe Reader and Acrobat on October 12, 2010..."
- http://blogs.adobe.com/psirt/2010/08/pre-notification-out-of-band-security-updates-for-adobe-reader-and-acrobat.html
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2862
Last revised: 08/06/2010
:fear:
AplusWebMaster
2010-08-11, 04:30
FYI...
Adobe Flash Player / Adobe AIR - critical updates
- http://www.adobe.com/support/security/bulletins/apsb10-16.html
August 10, 2010 - "Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.
CVE number: CVE-2010-0209, CVE-2010-2188, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216
Affected software versions:
• Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris
• Adobe AIR 2.0.2.12610 and earlier versions for Windows, Macintosh and Linux...
For users who cannot update to Flash Player 10.1.82.76, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.280, which can be downloaded from here*...
Adobe recommends all users of Adobe AIR 2.0.2.12610 and earlier versions update to the newest version 2.0.3 by downloading it from the Adobe AIR Download Center:
- http://get.adobe.com/air/
* http://kb2.adobe.com/cps/406/kb406791.html
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,82,76 installed"
___
Adobe Flash Media Server - critical update
- http://www.adobe.com/support/security/bulletins/apsb10-19.html
August 10, 2010
CVE number: CVE-2010-2217, CVE-2010-2218, CVE-2010-2219, CVE-2010-2220
Platform: Windows, Linux ...
___
Hotfix available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
August 10, 2010
Affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote**...
Severity rating: Adobe categorizes this as an important update...
** http://kb2.adobe.com/cps/857/cpsid_85766.html
___
http://www.securitytracker.com/id?1024313 - Flash Player
http://www.securitytracker.com/id?1024315 - Flash Media Server
http://www.securitytracker.com/id?1024314 - ColdFusion
Aug 10 2010
:fear:
AplusWebMaster
2010-08-22, 11:30
FYI...
Adobe Reader/Acrobat v9.3.4 released
- http://www.adobe.com/support/security/bulletins/apsb10-17.html
August 19, 2010
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2862
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
Platform: All Platforms
Summary: Critical vulnerabilities have been identified in Adobe Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.3 (and earlier versions) and Adobe Acrobat 8.2.3 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system... Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update*.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4...
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2010-2862).
These updates further mitigate a social engineering attack that could lead to code execution (CVE-2010-1240)...
Users can utilize the product's update mechanism...
* http://www.adobe.com/support/downloads/new.jsp
___
- http://www.us-cert.gov/cas/techalerts/TA10-231A.html
August 19, 2010 - "... vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file...
Solution:
• Update... Users are encouraged to read Adobe Security Bulletin APSB10-17* and update vulnerable versions of Adobe Reader and Acrobat...
• Disable JavaScript in Adobe Reader and Acrobat ... JavaScript can be disabled using the Preferences menu...
• Disable the display of PDF files in the web browser ... Uncheck the 'Display PDF in browser' checkbox...."
(More detail at the US-CERT URL above.)
* http://www.adobe.com/support/security/bulletins/apsb10-17.html
:fear:
AplusWebMaster
2010-08-25, 05:14
FYI...
Shockwave Player v11.5.8.612 released
- http://www.adobe.com/support/security/bulletins/apsb10-20.html
August 24, 2010
CVE number: CVE-2010-2863, CVE-2010-2864, CVE-2010-2865, CVE-2010-2866, CVE-2010-2867, CVE-2010-2868, CVE-2010-2869, CVE-2010-2870, CVE-2010-2871, CVE-2010-2872, CVE-2010-2873, CVE-2010-2874, CVE-2010-2875, CVE-2010-2876, CVE-2010-2877, CVE-2010-2878, CVE-2010-2879, CVE-2010-2880, CVE-2010-2881, CVE-2010-2882
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612...
Solution: Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions upgrade to the newest version 11.5.8.612, available here: http://get.adobe.com/shockwave/ ...
:fear::fear:
AplusWebMaster
2010-09-08, 18:59
FYI...
- http://www.adobe.com/support/security/advisories/apsa10-02.html
September 8, 2010 - "... A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild..."
- http://isc.sans.edu/diary.html?storyid=9523
Last Updated: 2010-09-08 18:03:06 UTC
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2883
Last revised: 09/10/2010 - "... exploited in the wild in September 2010..."
CVSS v2 Base Score: 9.3
Adobe Reader/Acrobat vuln... unpatched
- http://secunia.com/advisories/41340/
Release Date: 2010-09-08
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
...vulnerability is confirmed in versions 8.2.4 and 9.3.4. Other versions may also be affected.
NOTE: The vulnerability is currently being actively exploited.
Solution: Do not open untrusted files.
Provided and/or discovered by: Reported as a 0-day....
- http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1283972909
File name: Golf Clinic.pdf
Submission date: 2010-09-08 19:08:29 (UTC)
Result: 11/43 (25.6%)
(Better)...
- http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1284031469
File name: Golf Clinic.pdf
Submission date: 2010-09-09 11:24:29 (UTC)
Result: 21/43 (48.8%)
:fear::fear:
AplusWebMaster
2010-09-14, 13:10
FYI...
0-day Flash vuln "exploit in the wild"...
- http://www.adobe.com/support/security/advisories/apsa10-03.html
September 13, 2010 - "... A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884*) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010.
We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010..."
- http://isc.sans.edu/diary.html?storyid=9544
Last Updated: 2010-09-14 00:40:35 UTC
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884
- http://secunia.com/advisories/41434/
Release Date: 2010-09-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
- http://securitytracker.com/alerts/2010/Sep/1024432.html
Sep 14 2010
:fear:
AplusWebMaster
2010-09-19, 15:46
FYI...
Flash update 2010.09.20 ...
- http://www.adobe.com/support/security/advisories/apsa10-03.html
Last updated: September 17, 2010 - "... We now expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems on Monday September 20, 2010. A fix is now available for Google Chrome users. Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here: http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_17.html (September 17, 2010). We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884
Last revised: 09/18/2010 - "... as exploited in the wild in September 2010..."
CVSS v2 Base Score: 9.3 (HIGH)
- http://xforce.iss.net/xforce/xfdb/61771
September 18, 2010 - High Risk
** http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414
"...You can tell if updates are available if the wrench icon on the browser toolbar has a little orange dot: update notification. To apply the update, just close and restart the browser..."
:fear:
AplusWebMaster
2010-09-20, 22:40
FYI...
Adobe Flash Player v10.1.85.3 released
- http://www.adobe.com/support/security/bulletins/apsb10-22.html
Sep. 20, 2010 - "A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh... Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1... Users of Flash Player for Android version 10.1.92.10 and earlier can update to Flash Player version 10.1.95.1 by browsing to the Android Marketplace on an Android phone. For users who cannot update to Flash Player 10.1.85.3, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.283, which can be downloaded here*..."
* http://www.adobe.com/go/kb406791
- http://get.adobe.com/flashplayer/
___
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,85,3 installed"
___
- http://secunia.com/advisories/41434/
Last updated 2010-09-21
Criticality level: Extremely critical
Solution: Update to version 9.0.283 or 10.1.85.3...
:fear:
AplusWebMaster
2010-10-06, 03:11
FYI...
Adobe Reader/Acrobat v9.4 update available
- http://www.adobe.com/support/security/bulletins/apsb10-21.html
October 5, 2010 - "Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh... Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5... Adobe Reader Users on Windows and Macintosh can utilize the product's update mechanism..."
CVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631, CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658
"... Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5..."
- http://www.adobe.com/support/downloads/new.jsp
10/5/2010
- http://secunia.com/advisories/41340/
Last Update: 2010-10-06
Criticality level: Extremely critical
Impact: System access ...
"... NOTE: The vulnerability is currently being actively exploited..."
Solution: Update to version 8.2.5 and 9.4...
- http://www.securitytracker.com/id?1024511
Oct 6 2010
:fear:
AplusWebMaster
2010-10-22, 17:02
FYI...
Shockwave v11.5.9.615 released
- http://forums.spybot.info/showpost.php?p=387189&postcount=15
___
Shockwave Player vuln - unpatched
- http://secunia.com/advisories/41932/
Release Date: 2010-10-22
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
The vulnerability is confirmed in version 11.5.8.612...
Solution: Do not visit untrusted websites*...
Original Advisory: Adobe:
http://www.adobe.com/support/security/advisories/apsa10-04.html
Last updated: October 27, 2010 - "... As of October 27, Adobe is aware of reports of this vulnerability being exploited in the wild... We are in the process of finalizing a fix for the issue and expect to provide an update for Shockwave Player on October 28, 2010..."
http://blogs.adobe.com/psirt/2010/10/security-advisory-for-adobe-shockwave-player-apsa10-04.html
"... vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3653
Last revised: 10/27/2010
CVSS v2 Base Score: 9.3 (HIGH)
* -and/or- UNINSTALL Shockwave Player. You can live without it.
:fear::fear:
AplusWebMaster
2010-10-28, 19:57
FYI...
Adobe Flash... 0-day... unpatched
* http://www.adobe.com/support/security/advisories/apsa10-05.html
Release date: October 28, 2010
CVE number: CVE-2010-3654
"A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player. We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010..."
- http://secunia.com/advisories/41917/
Last Update: 2010-10-29
Criticality level: Extremely critical
NOTE: The vulnerability is currently being actively exploited...
... Adobe plans to release a fixed version on November 9, 2010.
... Reported as a 0-day.
Original Advisory: Adobe APSA10-05*
Adobe Reader/Acrobat ...
- http://secunia.com/advisories/42030/
...Adobe plans to release a fixed version on November 15, 2010.
Original Advisory: Adobe APSA10-05*
Chrome ...
- http://secunia.com/advisories/42031/
- http://www.theregister.co.uk/2010/10/28/adobe_reader_critical_vuln/
28 October 2010
- http://www.virustotal.com/file-scan/report.html?id=c4722bf958337e79fd53e8cbc289b58fdcce922ef025302cbca7679a5eae772a-1288229160
File name: nsunday.exe
Submission date: 2010-10-28
Result: 15/42 (35.7%)
There is a more up-to-date report (27/43) for this file...
- http://www.virustotal.com/file-scan/report.html?id=c4722bf958337e79fd53e8cbc289b58fdcce922ef025302cbca7679a5eae772a-1288324712
File name: 9F0CEFE847174185030A1F027B3813EC
Submission date: 2010-10-29
Result: 27/43 (62.8%)
___
- http://isc.sans.edu/diary.html?storyid=9835
Last Updated: 2010-10-28 21:51:01 UTC - "... mitigation measures recommended by adobe:
Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.
Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."
More information at
- http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html ..."
___
- http://www.kb.cert.org/vuls/id/298081
2010-10-28 - "... consider the following workarounds: Disable Flash..."
ThreatCon... Elevated.
- http://www.symantec.com/security_response/threatconlearn.jsp
Oct. 29, 2010 - "... Adobe Flash Player, Adobe Reader, and Acrobat... vulnerability... being actively exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Last revised: 10/29/2010
:fear::fear::fear:
AplusWebMaster
2010-10-28, 22:27
FYI...
Shockwave v11.5.9.615 released
- http://www.adobe.com/support/security/bulletins/apsb10-25.html
CVE number: CVE-2010-2581, CVE-2010-2582, CVE-2010-3653, CVE-2010-3655, CVE-2010-4084, CVE-2010-4085, CVE-2010-4086, CVE-2010-4087, CVE-2010-4088, CVE-2010-4089, CVE-2010-4090
October 28, 2010 - "Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems... Adobe recommends users of Adobe Shockwave Player 11.5.8.612 and earlier versions upgrade to the newest version 11.5.9.615, available here:
- http://get.adobe.com/shockwave/ ..."
:fear:
AplusWebMaster
2010-11-03, 04:14
FYI...
- http://isc.sans.edu/diary.html?storyid=9892
Last Updated: 2010-11-04 22:27:50 UTC - "... current 'State of Adobe'...
Product Latest Version
PDF Reader - v9.4.0 - vulnerable: http://secunia.com/advisories/42095/
Flash Player - 10.1.102.64
Shockwave Player- 11.5.9.615 - vulnerable: http://secunia.com/advisories/42112/
Acrobat - 9.4.0 - vulnerable: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Air - 2.5 ..."
- http://isc.sans.edu/tag.html?tag=adobe
___
Flash update now expected 11.4.2010...
- http://www.adobe.com/support/security/advisories/apsa10-05.html
Last updated: November 2, 2010 - "... We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010. We expect to make available an update for Flash Player 10.x for Android by November 9, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Last revised: 11/01/2010
CVSS v2 Base Score: 9.3 (HIGH)
:fear:
AplusWebMaster
2010-11-05, 01:14
FYI...
Flash Media Server multiple vulns - update available
- http://secunia.com/advisories/42157/
Release Date: 2010-11-10
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote ...
Solution: Update to Flash Media Server version 3.0.7, 3.5.5, or 4.0.1.
Original Advisory: APSB10-27:
http://www.adobe.com/support/security/bulletins/apsb10-27.html
CVE-2010-3633, CVE-2010-3634, CVE-2010-3635
___
Flash v10.1.102.64 released
- http://www.adobe.com/support/security/advisories/apsa10-05.html
Last updated: November 4, 2010 - "A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android... Adobe recommends... update to Adobe Flash Player 10.1.102.64. For More information, please refer to Security Bulletin APSB10-26*..."
* http://www.adobe.com/support/security/bulletins/apsb10-26.html
Release date: November 4, 2010
CVE number: CVE-2010-3636, CVE-2010-3637, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654, CVE-2010-3976
Platform: All Platforms...
Adobe recommends users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64... users who cannot update to Flash Player 10.1.102.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.289.0, which can be downloaded from: http://www.adobe.com/go/kb406791 ..."
- http://www.adobe.com/support/security/bulletins/apsb10-26.html
Last updated: November 9, 2010 - "... Users of Flash Player for Android version 10.1.95.1 and earlier can update to Flash Player version 10.1.105.6 by browsing to the Android Marketplace on an Android phone*..."
* http://market//details?id=com.adobe.flashplayer
___
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,102,64 installed"
___
- http://www.securitytracker.com/id?1024685
Nov 5 2010
___
Flash Update plugs 18 security holes
- http://krebsonsecurity.com/2010/11/flash-update-plugs-18-security-holes/
v10.1.102.64 ...
:fear::fear:
AplusWebMaster
2010-11-08, 14:50
FYI...
Adobe Reader vuln
- http://secunia.com/advisories/42095/
Last Update: 2010-11-17
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 9.4.1.
Adobe Shockwave Player vuln - unpatched
- http://secunia.com/advisories/42112/
Last Update: 2010-11-16
Criticality level: Moderately critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
... The vulnerability is confirmed in version 11.5.9.615. Other versions may also be affected.
Solution: Do not open the "Shockwave Settings" window when viewing Shockwave content...
- http://www.securitytracker.com/id?1024682
Nov 4 2010
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4092
Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH)
* -and/or- UNINSTALL Shockwave Player. You can live without it.
:fear::fear:
AplusWebMaster
2010-11-10, 23:42
Adobe Reader/Acrobat v9.4.1 released
- http://forums.spybot.info/showpost.php?p=388827&postcount=20
___
Adobe PDF Reader status:
- http://www.adobe.com/support/security/bulletins/apsb10-28.html
November 12, 2010 - "... updates for Adobe Reader 9.4... and Adobe Acrobat 9.4... Adobe expects to make updates for Windows and Macintosh available on Tuesday, November 16, 2010. An update for UNIX is expected to be available on Monday, November 30, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Original release date: 10/29/2010 - Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH) "... as exploited in the wild in October 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4091
Original release date: 11/07/2010 - Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://secunia.com/advisories/42030/
Release Date: 2010-10-28
- http://secunia.com/advisories/42095/
Last Update: 2010-11-08
- http://contagiodump.blogspot.com/2010/11/cve-2010-3654.html
November 10, 2010
Alternative:
- http://forums.spybot.info/showpost.php?p=389640&postcount=28
FoxIt Reader v4.3.0.1110
:fear::fear:
AplusWebMaster
2010-11-16, 23:21
FYI...
Adobe Reader/Acrobat v9.4.1 released
- http://www.adobe.com/support/security/bulletins/apsb10-28.html
November 16, 2010 - "Critical vulnerabilities... Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1...
Adobe Reader/Acrobat: Users on Windows and Macintosh can utilize the product's update mechanism..."
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4091
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.adobe.com/support/downloads/new.jsp
11/16/2010
:fear:
AplusWebMaster
2010-11-19, 14:24
FYI...
Adobe Reader X released
- http://www.adobe.com/products/reader/tech-specs.html
- http://www.adobe.com/products/reader/features.html
- http://get.adobe.com/reader/otherversions/
- http://www.adobe.com/products/reader.html
- http://www.adobe.com/support/downloads/new.jsp
11/18/2010
- http://isc.sans.edu/diary.html?storyid=9976
Last Updated: 2010-11-19 17:45:42 UTC - "... This is the version of Reader that has sandbox feature built-in, there is now a degree of separation between the OS and the potentially malicious PDF files. The same sandbox mechanism had been implemented in Google Chrome and also MS Office. Containment of the harmful files lessen the damage should a successful attack were to happen..."
- http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
:fear:
AplusWebMaster
2010-12-13, 14:35
FYI...
Adobe Photoshop v12.0.2 released
- http://secunia.com/advisories/42492/
Release Date: 2010-12-13
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Solution Status: Vendor Patch
... The vulnerabilities are reported in versions prior to CS5 12.0.2.
Solution: Update to version CS5 12.0.2...
Original Advisory:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4893
:fear:
AplusWebMaster
2010-12-19, 13:23
FYI...
Adobe Photoshop CS5 - Security update
- http://www.adobe.com/support/security/bulletins/apsb10-30.html
December 17, 2010 - "An important library-loading vulnerability has been identified in Adobe Photoshop CS5 12.0.1 and earlier on the Windows platform. Adobe recommends users update their Adobe Photoshop CS5 installations..."
CVE number: CVE-2010-3127
Adobe Photoshop 12.0.3 update
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4949
"... Adobe Photoshop 12.0.3 update fixes a number of high priority bugs including tool tips on Windows XP, painting performance and type-related issues. This update is recommended for all Windows users..."
:fear:
AplusWebMaster
2011-02-09, 00:57
FYI...
Security updates - Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb11-03.html
February 8, 2011
CVE Numbers: CVE-2010-4091, CVE-2011-0562, CVE-2011-0563, CVE-2011-0564, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0568, CVE-2011-0570, CVE-2011-0585, CVE-2011-0586, CVE-2011-0587, CVE-2011-0588, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0604, CVE-2011-0605, CVE-2011-0606
"Critical vulnerabilities have been identified in Adobe Reader X (10.0) for Windows and Macintosh; Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations. Adobe recommends users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.0.1), available now. Adobe recommends users of Adobe Reader 9.4.1 for UNIX update to Adobe Reader 9.4.2, expected to be available by the week of February 28, 2011. For users of Adobe Reader 9.4.1 and earlier versions for Windows and Macintosh who cannot update to Adobe Reader X (10.0.1), Adobe has made available updates, Adobe Reader 9.4.2 and Adobe Reader 8.2.6. Adobe recommends users of Adobe Acrobat X (10.0) for Windows and Macintosh update to Adobe Acrobat X (10.0.1). Adobe recommends users of Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.2, and users of Adobe Acrobat 8.2.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.6...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates...
Adobe Acrobat: Users can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates..."
- http://secunia.com/advisories/43207/
Release Date: 2011-02-09
Criticality level: Highly critical
Impact: Cross Site Scripting, Privilege escalation, System access
Where: From remote ...
Solution: Update to version 8.2.6, 9.4.2, or 10.0.1.
___
• Full Download/Updates-Programs/Add-ons...
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
___
ColdFusion - Hotfix available...
- http://www.adobe.com/support/security/bulletins/apsb11-04.html
February 8, 2011 - "Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to cross-site scripting, Session Fixation, CRLF injection and information disclosure... Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/890/cpsid_89094.html
- http://secunia.com/advisories/43264/
Release Date: 2011-02-09
Criticality level: Moderately critical
Impact: Cross Site Scripting, Exposure of sensitive information
Where: From remote...
Solution: Apply the Hotfix.
Original Advisory: Adobe (APSB11-04):
http://www.adobe.com/support/security/bulletins/apsb11-04.html
:fear::fear:
AplusWebMaster
2011-02-09, 04:31
FYI...
Adobe Flash Player - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-02.html
February 8, 2011
CVE Numbers: CVE-2011-0558, CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0575, CVE-2011-0577, CVE-2011-0578, CVE-2011-0607, CVE-2011-0608
"Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26..."
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,152,26 installed"
- http://secunia.com/advisories/43267/
Release Date: 2011-02-09
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 10.2.152.26.
- http://www.securitytracker.com/id/1025055
Feb 9 2011
___
Shockwave Player - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-01.html
February 8, 2011
CVE number: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589, CVE-2010-4092, CVE-2010-4093, CVE-2010-4187, CVE-2010-4188, CVE-2010-4189, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195, CVE-2010-4196, CVE-2010-4306, CVE-2010-4307, CVE-2011-0555, CVE-2011-0556, CVE-2011-0557, CVE-2011-0569
"Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions update to Adobe Shockwave Player 11.5.9.620... Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions upgrade to the newest version 11.5.9.620, available here:
- http://get.adobe.com/shockwave ..."
- http://www.securitytracker.com/id/1025056
Feb 9 2011
:fear::fear:
AplusWebMaster
2011-03-14, 23:37
FYI...
Flash 0-day targeted attacks...
- http://isc.sans.edu/diary.html?storyid=10549
Last Updated: 2011-03-14 20:09:26 UTC - "Adobe posted a security advisory*... These attacks seem to be particularly sneaky – the Flash exploit is embedded in an Excel file which is also used to setup memory so the exploit has a higher chance of succeeding. We will keep an eye on this and if the 0-day starts being used in the wild..."
___
- http://blog.trendmicro.com/excel-file-containing-adobe-zero-day-exploit-found/
Mar. 16, 2011
___
* http://www.adobe.com/support/security/advisories/apsa11-01.html
March 14, 2011 - "Summary: A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.13 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems. This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment... We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011..."
- http://secunia.com/advisories/43751/
Release Date: 2011-03-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Flash Player 10.x
... The vulnerability is reportedly being actively exploited.
Solution: Adobe plans to release a fixed version during the week of March 21, 2011...
- http://secunia.com/advisories/43772
___
- http://www.us-cert.gov/current/#adobe_releases_security_advisory_for6
March 15, 2011
- http://www.kb.cert.org/vuls/id/192052
Last Updated: 2011-03-15
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.securitytracker.com/id/1025210
Mar 15 2011
- http://www.securitytracker.com/id/1025211
Mar 15 2011
:mad:
AplusWebMaster
2011-03-21, 17:07
FYI...
Flash 10.2 update - for Androids only...
- http://blogs.adobe.com/flashplayer/2011/03/flash-player-10-2-now-available-for-mobile-devices.html
March 18, 2011 - "... To see if your device is certified for Flash Player 10.2, visit:
- http://www.adobe.com/flashplatform/certified_devices/
___
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)
___
- http://www.adobe.com/support/security/bulletins/apsb11-02.html
Last updated: March 18, 2011 - "... Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26..."
- http://www.adobe.com/support/security/advisories/apsa11-01.html
Last updated: March 18, 2011 - "... A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier... We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011..."
.
AplusWebMaster
2011-03-22, 03:41
FYI...
- http://www.adobe.com/support/security/advisories/apsa11-01.html
March 21, 2011 - Updated with information on Security Bulletin APSB11-05 and Security Bulletin APSB11-06
Flash Player v10.2.153.1 released
- http://www.adobe.com/support/security/bulletins/apsb11-05.html
March 21, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.2.152.33 and earlier... Adobe recommends users of Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems update to Adobe Flash Player 10.2.153.1..."
Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,153,1 installed"
___
Adobe Reader, Acrobat updates released
- http://www.adobe.com/support/security/bulletins/apsb11-06.html
March 21, 2011 - "A critical vulnerability has been identified in the authplay.dll component that ships with Adobe Reader and Acrobat...
> Adobe recommends users of Adobe Reader X (10.0.1) for Macintosh update to Adobe Reader X (10.0.2). For users of Adobe Reader 9.4.2 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.3...
> Adobe recommends users of Adobe Acrobat X (10.0.1) for Windows and Macintosh update to Adobe Acrobat X (10.0.2). Adobe recommends users of Adobe Acrobat 9.4.2 for Windows and Macintosh update to Adobe Acrobat 9.4.3...
> Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
> Adobe Reader 9.x users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
> Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
... Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011..."
___
- http://www.us-cert.gov/current/#adobe_releases_flash_player_update
March 21, 2011
- http://www.us-cert.gov/current/#adobe_releases_security_updates_for7
March 22, 2011
___
Adobe AIR ...
- http://www.securitytracker.com/id/1025238
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Date: Mar 22 2011
"... The vendor has issued a fix (2.6)..."
- http://get.adobe.com/air/
:fear::fear::fear:
AplusWebMaster
2011-03-23, 14:36
FYI...
PDF file loaded w/malware used in attack on Spotify...
- http://forums.spybot.info/showpost.php?p=398775&postcount=109
"... Blackhole Exploit Kit... One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file..."
* http://www.virustotal.com/file-scan/report.html?id=a41b05120be3018082eff5d75811b166d1cf9dccb7c2ea3da3d42fd090c97acf-1301413767
File name: L9FPB1.pdf
Submission date: 2011-03-29 15:49:27 (UTC)
Result: 12/43 (27.9%)
___
Flash exploits in-the-wild - SPAM attachments...
- http://www.f-secure.com/weblog/archives/00002127.html
March 23, 2011 - "Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits... Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object. The Flash object starts by doing a heap-spray... the Flash object constructs and loads a second Flash object in runtime... This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap... As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack... users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory*..."
(Screenshots available at the URL above.)
* http://forums.spybot.info/showpost.php?p=398407&postcount=28
Flash Player v10.2.153.1 released
- http://www.f-secure.com/weblog/archives/00002127.html
March 23, 2011
- http://sunbeltblog.blogspot.com/2011/03/tips-for-avoiding-endless-japan.html
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... as exploited in the wild in March 2011..."
:fear::mad::spider:
AplusWebMaster
2011-04-12, 00:41
FYI...
Flash 0-day exploit in-the-wild ...
- http://krebsonsecurity.com/2011/04/new-adobe-flash-zero-day-being-exploited/
April 11, 2011 3:32 pm - "Attackers are exploiting a previously unknown security flaw in Adobe’s ubiquitous Flash Player software to launch targeted attacks, according to several reliable sources... the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents... A scan of one tainted file used in this attack that was submitted to Virustotal.com* indicates that just one out of 42 anti-virus products used to scan malware at the service detected this thing as malicious..."
* http://www.virustotal.com/file-scan/report.html?id=1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f-1302359653
File name: Disentangling Industrial Policy and Competition Policy.doc
Submission date: 2011-04-09 14:34:13 (UTC)
Result: 1/42 (2.4%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f-1304526431
File name: Disentangling Industrial Policy and Competition Policy.doc
Submission date: 2011-05-04 16:27:11 (UTC)
Result: 29/41 (70.7%)
Screenshot of malicious e-mail:
- http://regmedia.co.uk/2011/04/12/malicous_email.jpg
___
Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
- http://www.adobe.com/support/security/advisories/apsa11-02.html
April 11, 2011
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system... We are in the process of finalizing a schedule for delivering updates...
Affected software versions:
• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android
• The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue...
- http://secunia.com/advisories/44119/
Release Date: 2011-04-12
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is currently being actively exploited via Office Word documents (.doc) containing malicious Flash content...
Original Advisory: Adobe:
http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html
- http://secunia.com/advisories/44149/
Release Date: 2011-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is caused due to a vulnerable bundled version of Flash Player (authplay.dll)...
- http://www.securitytracker.com/id/1025324
Apr 12 2011
- http://www.securitytracker.com/id/1025325
Apr 12 2011
:mad:
AplusWebMaster
2011-04-14, 12:48
FYI...
Flash, Reader, Acrobat critical updates scheduled...
- http://www.adobe.com/support/security/advisories/apsa11-02.html
April 13, 2011- "... We... expect to make available an update for Flash... on Friday, April 15, 2011. We expect to make available an update for Adobe Acrobat... and Adobe Reader... no later than the week of April 25, 2011..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
Last revised: 04/13/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... as exploited in the wild in April 2011..."
:fear:
AplusWebMaster
2011-04-15, 21:54
FYI...
Flash Player v10.2.159.1 released
- http://www.adobe.com/support/security/bulletins/apsb11-07.html
April 15, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.2.153.1 and earlier versions... Adobe recommends... update to Adobe Flash Player 10.2.159.1..."
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,159,1 installed"
:fear::fear:
AplusWebMaster
2011-04-20, 13:49
FYI...
Drive-by Flash cache attacks...
- http://www.theregister.co.uk/2011/04/19/amnesty_drive_by_cache/
19 April 2011 - "Miscreants have deployed a subtle variant of the well established drive-by-download attack tactics against the website of human rights organisation Amnesty International. In traditional drive-by-download attacks malicious code is planted on websites. This code redirects surfers to an exploit site, which relies on browser vulnerabilities or other exploits to download and execute malware onto visiting PCs. The attack on the Amnesty website, detected by security firm Armorize*, relied on a different sequence of events. In this case, malicious scripts are used to locate the malware which is already sitting in the browser's cache directory, before executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect. By bypassing this step dodgy sorts are more likely to slip their wares past security software undetected. The Amnesty International attack ultimately relied on an Adobe Flash zero-day exploit, patched by Adobe** late last week..."
* http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html
- http://www.virustotal.com/file-scan/report.html?id=2e498420acf149a2ea785bd798061d1e14b1b069e9abd83889da7e2f8d15c227-1303129354
File name: display[1].swf
Submission date: 2011-04-18 12:22:34 (UTC)
Result: 1/40 (2.5%)
** Flash Player v10.2.159.1 released
- http://forums.spybot.info/showpost.php?p=401253&postcount=32
:fear::mad::fear:
AplusWebMaster
2011-04-21, 22:35
FYI...
Adobe Reader/Acrobat security updates
- http://www.adobe.com/support/security/bulletins/apsb11-08.html
CVE number: CVE-2011-0611, CVE-2011-0610
April 21,2011 - "Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems... Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3... update (to) Adobe Reader 9.4.4... Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates...
Adobe Reader 9.x users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader 10.x and 9.x users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh ..."
- http://secunia.com/advisories/44149/
Last Update: 2011-04-22
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0610
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
Last revised: 05/03/2011
CVSS v2 Base Score: 9.3 (HIGH)
Solution: Update to version 9.4.4 or 10.0.3
- http://www.securitytracker.com/id/1025434
Apr 22 2011
:fear::fear:
AplusWebMaster
2011-05-03, 14:23
FYI...
Adobe Photoshop CS5 12.0.4 released
- http://secunia.com/advisories/44419/
Release Date: 2011-05-03
Criticality level: Moderately critical
Impact: Unknown
Where: From remote ...
Software: Adobe Photoshop CS5 12.x
... The vulnerabilities are reported in versions -prior- to CS5 12.0.4.
Solution: Update to version CS5 12.0.4...
Original Advisory: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4973
"... A number of potential security vulnerabilities have been addressed..."
- http://www.securitytracker.com/id/1025483
May 4 2011
:fear:
AplusWebMaster
2011-05-13, 04:24
FYI...
APSB11-09 – Security update available for RoboHelp (Important Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-09.html
APSB11-10 – Security update available for Audition (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-10.html
APSB11-11 – Security update available for Flash Media Server (FMS) (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-11.html
APSB11-12 – Security update available for Flash Player (Critical Severity)
- http://www.adobe.com/support/security/bulletins/apsb11-12.html
May 12, 2011
CVE number: CVE-2011-0589, CVE-2011-0618, CVE-2011-0619, CVE-2011-0620, CVE-2011-0621, CVE-2011-0622, CVE-2011-0623, CVE-2011-0624, CVE-2011-0625, CVE-2011-0626, CVE-2011-0627*
Platform: All Platforms
"Critical vulnerabilities have been identified... Adobe recommends users of Adobe Flash Player 10.2.159.1 and earlier versions... update to Adobe Flash Player 10.3.181.14..."
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,3,181,14 installed"
- http://www.securitytracker.com/id/1025533
May 13 2011 - "... One of the vulnerabilities [CVE-2011-0627] is being actively exploited on Windows-based systems via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file and delivered via email attachment..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0627
Last revised: 05/16/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... before 10.3.181.14 on Windows..."
____
Local settings manager (new in desktop only)
- http://www.adobe.com/products/flashplayer/features/index.html
"... Flash Player 10.3 integrates control of local storage with the browser's privacy settings... Users can access the Flash Player Settings Manager directly from the Control Panel or System Preferences..."
___
- http://secunia.com/advisories/44480/ - RoboHelp
- http://www.securitytracker.com/id/1025530 - Audition
- http://secunia.com/advisories/44589/ - Flash Media Server
- http://secunia.com/advisories/44590/ - Flash
Release Date: 2011-05-13
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Original Advisory: Adobe (APSB11-12):
http://www.adobe.com/support/security/bulletins/apsb11-12.html
:fear:
AplusWebMaster
2011-05-13, 21:57
FYI...
> http://forums.spybot.info/showpost.php?p=404201&postcount=36
"... update to Adobe Flash Player 10.3.181.14..."
- http://www.securitytracker.com/id/1025533
May 13 2011 - "... One of the vulnerabilities [CVE-2011-0627*] is being actively exploited on Windows-based systems via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file and delivered via email attachment..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0627
Last revised: 05/13/2011
:fear::fear:
AplusWebMaster
2011-05-24, 19:58
FYI...
Adobe Photoshop v12.0.4 released
- http://securitytracker.com/id?1025483
Updated: May 23 2011
- http://secunia.com/advisories/44419/
"... vulnerabilities are reported in versions prior to CS5 12.0.4..."
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4973
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2164
Last revised: 05/24/2011
CVSS v2 Base Score: 10.0 (HIGH)
:fear:
AplusWebMaster
2011-06-06, 07:25
FYI...
Prenotification Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb11-16.html
June 9, 2011 - "Adobe is planning to release updates for Adobe Reader X (10.0.1) for Windows and Adobe Reader X (10.0.3) for Macintosh; Adobe Reader 9.4.3 and earlier versions for Windows and Macintosh; Adobe Acrobat X (10.0.3) for Windows and Macintosh; and Adobe Acrobat 9.4.2 and earlier versions for Windows and Macintosh to resolve critical security issues. Adobe expects to make these updates available on Tuesday, June 14, 2011..."
___
Flash v10.3.181.2x released
- http://www.adobe.com/support/security/bulletins/apsb11-13.html
Revisions:
June 8, 2011 - Updated with information on Adobe Reader and Acrobat
June 7, 2011 - Updated with information on Android update.
June 5, 2011 - CVE-2011-2107
Summary: An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being actively exploited in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message...
Solution: Adobe recommends all users... update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX)..."
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
___
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2107
Last revised: 06/09/2011
- http://secunia.com/advisories/44846/
Impact: Cross Site Scripting
Where: From remote...
Solution: Update to Flash Player version 10.3.181.22 (10.3.181.23 for ActiveX).
- http://www.securitytracker.com/id/1025603
Jun 6 2011 - CVE-2011-2107
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Solution: The vendor has issued a fix (10.3.181.22; 10.3.181.23 for ActiveX; 10.3.185.22 for Android). The Android fix will be available the week of June 6, 2011.
:fear:
AplusWebMaster
2011-06-06, 20:27
FYI...
Hacks exploit Flash bug in new attacks against Gmail users
- http://www.computerworld.com/s/article/9217346/Hackers_exploit_Flash_bug_in_new_attacks_against_Gmail_users
June 6, 2011 - "Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users... '... we cannot assume that other Web mail providers may not be targeted as well'..."
> http://forums.spybot.info/showpost.php?p=406713&postcount=39
:mad:
AplusWebMaster
2011-06-15, 02:07
FYI...
Adobe - multiple critical updates
Flash Player- critical update
- http://www.adobe.com/support/security/bulletins/apsb11-18.html
June 14, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23 and earlier versions... Adobe recommends... update to Adobe Flash Player 10.3.181.26... Note:... does -not- affect the Authplay.dll component that ships with Adobe Reader and Acrobat..."
CVE number: CVE-2011-2110
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2110
Last revised: 06/17/2011
CVSS v2 Base Score: 10.0 (HIGH)
- http://www.securitytracker.com/id/1025651
Jun 14 2011 - CVE-2011-2110
... This vulnerability is being actively exploited via targeted web pages.
Impact: A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix 10.3.181.26*...
- http://secunia.com/advisories/44964/
Release Date: 2011-06-15
Criticality level: Extremely critical...
NOTE: The vulnerability is reportedly being actively exploited in targeted attacks... 10.3.181.23 and earlier...
Solution: Apply updates... (10.3.181.26)...
___
Reader and Acrobat - critical updates
- http://www.adobe.com/support/security/bulletins/apsb11-16.html
June 14, 2011 - "Critical vulnerabilities have been identified in Adobe Reader X (10.0.1) and earlier versions for Windows, Adobe Reader X (10.0.3) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.3) and earlier...
Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3...
Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3... Users can utilize the product's update mechanism..."
CVE numbers: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096, CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100, CVE-2011-2101, CVE-2011-2102, CVE-2011-2103, CVE-2011-2104, CVE-2011-2105, CVE-2011-2106
... before 8.3, 9.x before 9.4.5, and 10.x before 10.1...
- http://www.securitytracker.com/id/1025658
June 14 2011
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network...
Version(s): 8.x - 8.2.6, 9.x - 9.4.4, 10.x - 10.0.3
Solution: The vendor has issued a fix (8.3, 9.4.5, 10.1).
___
Shockwave Player - critical update
- http://www.adobe.com/support/security/bulletins/apsb11-17.html
June 14, 2011 - "Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.620 and earlier versions... Adobe recommends users of Adobe Shockwave Player 11.5.9.620 and earlier versions upgrade to the newest version 11.6.0.626, available here: http://get.adobe.com/shockwave/ "
CVE number: CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2108, CVE-2011-2109, CVE-2011-2111, CVE-2011-2112, CVE-2011-2113, CVE-2011-2114, CVE-2011-2115, CVE-2011-2116, CVE-2011-2117, CVE-2011-2118, CVE-2011-2119, CVE-2011-2120, CVE-2011-2121, CVE-2011-2122, CVE-2011-2123, CVE-2011-2124, CVE-2011-2125, CVE-2011-2126, CVE-2011-2127
___
Hotfix available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb11-14.html
June 14, 2011 - "Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site request forgery (CSRF) or a remote denial-of-service (DoS). Adobe recommends users update their product...
Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/907/cpsid_90784.html ..."
CVE number: CVE-2011-0629, CVE-2011-2091
___
LiveCycle Data Services, LiveCycle ES, and BlazeDS - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-15.html
June 14, 2011 - "Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users update their product...
Solution... " Use the URL above for instructions and links.
CVE number: CVE-2011-2092, CVE-2011-2093
:fear::fear::fear::fear::fear:
AplusWebMaster
2011-06-29, 14:07
FYI...
- http://www.adobe.com/support/security/
No advisory posted - yet. (released in new version of Chrome)
Fixes in Flash Player 10.3.181.34
- http://kb2.adobe.com/cps/901/cpsid_90194.html#main_10.3.181.34
Jira bugs
[FP-###] denotes bugs that are filed in the Adobe Flash Player Bug and Issue Management System https://bugs.adobe.com/flashplayer
[FP-5317] Flash Player crashes when a high definition video is played in -any- browser (2848668)
[FP-6143] Flash app does not resize properly when wmode=transparent
[FP-6163] During 'Press Esc to exit full screen message' Flash player does not allow to load swf which loads another swf into SWFLoader. (2808217)
[FP-6198] url is being returned escaped in Flash Player 10.2, but wasn't in Flash Player 10.1 (2812702)
[FP-6230] DisplacementMapFilter doesn't work when movie is scaled (2814161)...
Browser...
Chrome: Printing SWFs is not enabled in Google Chrome. We are working with Google to address this issue. (2490502)
Safari: Printing SWFs is not enabled in Safari on Windows platforms. We are investigating this issue with Apple. (2490502)
Firefox: [FP-19322] In Firefox, a FaultEvent returns a status code of zero, ignoring the status returned by the web server (2827551)
Content Hero game at http://www.fishhf.com/ fails to load when using Firefox 3 (2834776)
When using Firefox 4 on Ubuntu Operating System, videos at new.music.yahoo.com fail to play (2840163)
Internet Explorer: [FP-6597] In Internet Explorer, tab navigation may stop working after tabbing to the end of Flash content ( 2849526)...
___
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
:fear:
AplusWebMaster
2011-07-18, 03:38
FYI...
60% of Adobe Reader users unpatched...
- http://www.darkreading.com/taxonomy/index/printarticle/id/231001642
Jul 13, 2011 - "Six out of every 10 users of Adobe Reader are running unpatched versions of the program, leaving them vulnerable to a variety of malware attacks... In a study of its own antivirus users, Avast Software found that 60.2 percent of those with Adobe Reader were running a vulnerable version of the program... More than 80 percent of Avast users run a version of Adobe Reader... Brad Arkin, senior director of product security and privacy at Adobe, agreed with the Avast analysis. "We find that most consumers don’t bother updating a free app, such as Adobe Reader, as PDF files can be viewed in the older version," he said... Malware PDF exploit packages will typically look for a variety of security weaknesses in the targeted computer, attacking when an uncovered vulnerability is discovered..."
:blink::fear:
AplusWebMaster
2011-08-10, 04:13
FYI...
> https://www.adobe.com/support/security/
Flash Player v10.3.183.5 released
- https://www.adobe.com/support/security/bulletins/apsb11-21.html
Last updated: August 12, 2011
Platform: All platforms
Summary: Critical vulnerabilities have been identified in Adobe Flash Player 10.3.181.36 and earlier versions... upgrade to the newest version 10.3.183.5...
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
CVSS Severity: 10.0 (HIGH)
"... before 10.3.183.5..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2130
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2134
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2135
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2136
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2137
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2138
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2139
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2140
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2414
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2415
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2416
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2417
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2424 - Last revised: 08/16/2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2425
___
Adobe AIR v2.7.1 released
- https://krebsonsecurity.com/2011/08/updates-for-adobe-flash-shockwave-air/
August 10, 2011 - "... flaws exist in Adobe AIR (before 2.7.1) for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here*..."
* http://get.adobe.com/air/
___
Shockwave Player v11.6.1.629 released
- https://www.adobe.com/support/security/bulletins/apsb11-19.html
August 9, 2011
CVE number: CVE-2010-4308, CVE-2010-4309, CVE-2011-2419, CVE-2011-2420, CVE-2011-2421, CVE-2011-2422, CVE-2011-2423.
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.0.626 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system... update to Adobe Shockwave Player 11.6.1.629... earlier versions upgrade to the newest version 11.6.1.629 available here:
- http://get.adobe.com/shockwave/
(Note: You may not have, want, or need Shockwave installed...)
Test Shockwave: https://www.adobe.com/shockwave/welcome/
___
Flash Media Server v4.0.3 v3.5.7 released
- https://www.adobe.com/support/security/bulletins/apsb11-20.html
August 9, 2011
Photoshop CS5 and CS5.1 updates available
- https://www.adobe.com/support/security/bulletins/apsb11-22.html
August 9, 2011
RoboHelp updates available
- https://www.adobe.com/support/security/bulletins/apsb11-23.html
August 9, 2011
:fear::spider::fear:
AplusWebMaster
2011-08-25, 17:34
FYI...
Flash Player 10.3 Release Notes
- http://kb2.adobe.com/cps/901/cpsid_90194.html
Flash Player v10.3.183.7
- http://kb2.adobe.com/cps/901/cpsid_90194.html#main_10.3.183.7
"Adobe Flash Player 10.3.183.7 addresses compatibility issues:
- Calls to gotoAndPlay() and gotoAndStop() no longer fail in some Flash applications which load shared libraries (2943612).
- TextField instances which specify a negative offset (x property contains a negative value) now correctly flow the text horizontally instead of vertically (2941680).
- Improved performance in some cases when displaying complex animations (2941931).
- MSI versions of the Flash Player Installer now properly install the Native Settings Manager control panel on Windows (2939928).
- Flash applications at certain websites (http://www.justin.tv, http://heylenmichel.de) now load correctly (2939645, 2944081)."
___
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
:fear:
AplusWebMaster
2011-09-14, 00:52
FYI...
Adobe Reader and Acrobat - critical updates
- https://www.adobe.com/support/security/bulletins/apsb11-24.html
September 13, 2011
CVE numbers: CVE-2011-1353, CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
"Critical vulnerabilities have been identified in Adobe Reader X (10.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system...
... Adobe recommends users of Adobe Reader X (10.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.1). For users of Adobe Reader 9.4.5 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.1), Adobe has made available updates, Adobe Reader 9.4.6 and Adobe Reader 8.3.1...
... Adobe recommends users of Adobe Acrobat X (10.1) for Windows and Macintosh update to Adobe Acrobat X 10.1.1. Adobe recommends users of Adobe Acrobat 9.4.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.6, and users of Adobe Acrobat 8.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.1...
Note: Support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011...
Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates ..."
___
- http://h-online.com/-1342490
14 September 2011 - "... version 10.x offers an updated Adobe Approved Trust List (AATL) from which Adobe has removed all DigiNotar certificates. The 9.x versions don't yet dynamically update the AATL; this feature is planned to be included in future versions. Until then, users are advised to manually delete the certificates – Adobe has released instructions* on how to do so..."
* http://blogs.adobe.com/security/2011/09/diginotarremovalaatl.html
___
- http://www.securitytracker.com/id/1026044
Sep 13 2011
Impact: Execution of arbitrary code via network, User access via local system, User access via network...
Version(s): 8.x prior to 8.3.1, 9.x prior to 9.4.6, and 10.x prior to 10.1.1...
- https://secunia.com/advisories/45978/
Release Date: 2011-09-14
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, Privilege escalation,
System access
Where: From remote
Solution Status: Vendor Patch...
:fear::fear:
AplusWebMaster
2011-09-21, 22:57
FYI...
Flash Player v10.3.183.10 released
- https://www.adobe.com/support/security/bulletins/apsb11-26.html
September 21, 2011
CVE number: CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429, CVE-2011-2430, CVE-2011-2444
Platform: All platforms
Summary: Critical vulnerabilities have been identified inAdobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10... Flash Player for Android... update to Adobe Flash Player for Android 10.3.186.7...
Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...
Flash test site: http://www.adobe.com/software/flash/about/
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2426
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2427
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2428
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2430
Last revised: 09/22/2011
"... before 10.3.183.10..."
CVSS v2 Base Score: 9.3 (HIGH)
- https://secunia.com/advisories/46113/
Release Date: 2011-09-22
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote...
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-26.html
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-32.html
- http://www.securitytracker.com/id/1026084
Sep 22 2011
___
Adobe Reader and Acrobat updated... to 10.1.1, 9.4.6, 8.3.1
- https://www.adobe.com/support/security/bulletins/apsb11-24.html
Revised: September 21, 2011 - "... These updates also incorporate the Adobe Flash Player updates as noted in Security Bulletin APSB11-21 and Security Bulletin APSB11-26..."
- https://www.adobe.com/support/security/bulletins/apsb11-21.html
- https://www.adobe.com/support/security/bulletins/apsb11-26.html
___
- https://www.us-cert.gov/current/#adobe_prenotification_security_advisory_for3
updated September 22, 2011
:fear::fear:
AplusWebMaster
2011-10-01, 19:21
FYI...
Adobe Photoshop Security Advisory APSA11-03
- https://www.adobe.com/support/security/advisories/apsa11-03.html
September 30, 2011
Platform: Windows
"... Critical vulnerabilities exist in Adobe Photoshop Elements 8.0 and earlier versions. These two buffer overflow vulnerabilities (CVE-2011-2443) could cause a crash and potentially allow an attacker to take control of the affected system... Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop Elements to date. Photoshop Elements 10 and Photoshop Elements 9 are not vulnerable to this issue. Because Adobe Photoshop 8 and earlier versions are no longer supported, Adobe recommends users upgrade to Photoshop Elements 10 or Photoshop Elements 9..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2443
Last revised: 10/05/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... Adobe Photoshop Elements 8.0 and earlier..."
> http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop_elements&loc=en_us
> https://www.adobe.com/products/photoshop-elements/buying-guide.displayTab3.html
___
- https://secunia.com/advisories/46277/
Release Date: 2011-10-03
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Upgrade to version 10.
:fear:
AplusWebMaster
2011-10-05, 15:42
FYI...
Flash Player v11.0.1.152 released
- http://kb2.adobe.com/cps/919/cpsid_91932.html
October 4, 2011 - "... This release includes new features as well as enhancements and bug fixes related to security, stability, performance and device compatibility..."
New Features in Flash Player 11 and AIR 3
- http://kb2.adobe.com/cps/919/cpsid_91932.html#main_new_features
Known Issues
- http://kb2.adobe.com/cps/919/cpsid_91932.html#main_known_issues
System Requirements - Flash Player 11
- https://www.adobe.com/products/flashplayer/tech-specs.html
• Internet Explorer 7.0 and above, Mozilla Firefox 4.0 and above, Google Chrome, Safari 5.0 and above, Opera 11...
[Apparently -not- compatible with Firefox v3.6.23, possibly others.]
___
Downloads: https://www.adobe.com/special/products/flashplayer/fp_distribution3.html
Flash Player 11 (64 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_64bit.exe
Flash Player 11 (32 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
Firefox, other Plugin-based browsers: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
Flash test site: http://www.adobe.com/software/flash/about/
___
- http://nakedsecurity.sophos.com/2011/10/06/adobe-flash-player-11-and-reader-security-interview-with-brad-arkin/
October 6, 2011 - "... Flash applications will now be able to use SSL socket connections to securely communicate over the network. Flash Player will now provide access to your operating system's cryptography APIs... This enables the use of a proper pseudo-random number generator for instances where greater security is required.
Flash is now available in a 64 bit binary as well, and will take advantage of 64 bit ASLR (Address Space Layout Randomization) where available..."
- http://blogs.adobe.com/asset/2011/09/flash-player-11-privacy-and-security-updates.html
___
- https://isc.sans.edu/diary.html?storyid=11731
Oct 04 2011
:fear:
AplusWebMaster
2011-10-22, 04:50
FYI...
Flash click-jacking exploit...
- https://isc.sans.edu/diary.html?storyid=11857
Last Updated: 2011-10-21 - "... a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel. The original attack "framed" the entire Flash control page. To prevent the attack, Adobe added frame busting code to the settings page. Feross' attack doesn't frame the entire page, but instead includes just the SWF file used to adjust the settings, bypassing the frame busting javascript in the process.
Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers. Details from Adobe:
- http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html
"... We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website..."
> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
___
- http://blogs.adobe.com/psirt/2011/10/next-quarterly-security-update-for-adobe-reader-and-acrobat.html
October 21, 2011 - "The next quarterly security update for Adobe Reader and Acrobat has been rescheduled for January 10, 2012."
:fear::fear:
AplusWebMaster
2011-11-09, 03:01
FYI...
Shockwave v11.6.3.633 released
- https://www.adobe.com/support/security/bulletins/apsb11-27.html
November 8, 2011
CVE number: CVE-2011-2446, CVE-2011-2447, CVE-2011-2448, CVE-2011-2449
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633... available here:
- http://get.adobe.com/shockwave/ ..."
___
- http://www.securitytracker.com/id/1026288
Date: Nov 8 2011
CVE Reference: CVE-2011-2446, CVE-2011-2447, CVE-2011-2448, CVE-2011-2449
Impact: Execution of arbitrary code via network, User access via network
Version(s): 11.6.1.629 and prior
... The vendor has issued a fix (11.6.3.633)...
- https://secunia.com/advisories/46667/
Release Date: 2011-11-09
Criticality level: Highly critical
Impact: System access
Where: From remote ...
... vulnerabilities are reported in versions 11.6.1.629 and prior.
Solution: Update to version 11.6.3.633...
:fear:
AplusWebMaster
2011-11-11, 04:58
FYI...
Flash Player v11.1.102.55 || AIR v3.1.0.4880 released
- https://www.adobe.com/support/security/bulletins/apsb11-28.html
November 10, 2011 - "Critical vulnerabilities have been identified in Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.55. Users of Adobe Flash Player 11.0.1.153 and earlier versions for Android should update to Adobe Flash Player 11.1.102.59 for Android.
Users of Adobe AIR 3.0 for Windows, Macintosh, and Android should update to Adobe AIR 3.1.0.4880...
For users who cannot update to Flash Player 11.1.102.55, Adobe has developed a patched version of Flash Player 10, Flash Player 10.3.183.11*...
Users of Adobe Flash Player 11.0.1.153 and earlier versions for Android should update to Adobe Flash Player 11.1.102.59 for Android by browsing to the Android Marketplace on an Android device."
CVE number: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
Platform: All Platforms
Release notes: http://kb2.adobe.com/cps/923/cpsid_92359.html#main_new_features
___
Flash downloads: https://www.adobe.com/special/products/flashplayer/fp_distribution3.html
Flash Player 11 (64 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_64bit.exe
Flash Player 11 (32 bit)
IE: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
Firefox, other Plugin-based browsers: http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
Flash v10.3.183.11:
IE:
http://download.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe
*Firefox v3.6.4, some other browsers:
http://download.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_10.exe
Flash test site: http://www.adobe.com/software/flash/about/
___
AIR latest version is available here: http://get.adobe.com/air/
___
- https://secunia.com/advisories/46818/
Release Date: 2011-11-11
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
... vulnerabilities are reported in the following products:
* Adobe Flash Player versions 11.0.1.152 and prior for Windows, Macintosh, Linux, and Solaris
* Adobe Flash Player versions 11.0.1.153 and prior for Android
* Adobe AIR versions 3.0 for Windows, Macintosh, and Android
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb11-28.html
- http://www.securitytracker.com/id/1026314
Date: Nov 11 2011
Impact: Execution of arbitrary code via network, User access via network...
Fix Available: Yes...
Version: 11.0.1.152 and prior...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2445
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2450
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2451
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2452
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2453
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2454
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2455
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2456
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2457
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2458
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2459
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2460
CVSS v2 Base Score: 10.0 (HIGH)
"... Flash Player before 10.3.183.11 and 11.x before 11.1.102.55..."
.
AplusWebMaster
2011-12-02, 14:27
FYI...
Adobe Flex SDK security update available
- https://www.adobe.com/support/security/bulletins/apsb11-25.html
CVE number: CVE-2011-2461
Platform: Windows, Macintosh and Linux
November 30, 2011 - "... An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:
All Web-based (-not- AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A and 3.6) may be vulnerable.
Web-based (-not- AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.
Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable. To determine whether an application is vulnerable, customers should use the SWF patching tool described in the tech note*.
This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note* ..."
* http://www.adobe.com/go/flexsecuritytechnote
___
- https://secunia.com/advisories/47053/
Release Date: 2011-12-01
Impact: Cross Site Scripting
Where: From remote
CVE Reference: CVE-2011-2461
Original Advisory: Adobe (APSB11-25):
http://www.adobe.com/support/security/bulletins/apsb11-25.html
http://kb2.adobe.com/cps/915/cpsid_91544.html
- http://www.securitytracker.com/id/1026361
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2461
Date: Dec 1 2011
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Adobe Flex application, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix. The vendor recommends that users verify their SWF applications to ensure they are not affected.
The vendor's advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb11-25.html
:fear:
AplusWebMaster
2011-12-07, 00:11
FYI...
Adobe Reader/Acrobat Security Advisory - APSA11-04
- http://www.adobe.com/support/security/advisories/apsa11-04.html
December 6, 2011
Summary : A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. We are planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the corresponding ASSET blog* post."
* http://blogs.adobe.com/asset/2011/12/background-on-cve-2011-2462.html
December 6, 2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2462
Last revised: 12/08/2011
CVSS v2 Base Score: 10.0 (HIGH)
"... as exploited in the wild in December 2011..."
- http://h-online.com/-1391441
7 December 2011
Reader 0-day exploit in-the-wild...
- http://www.symantec.com/connect/fr/blogs/adobe-reader-zero-day-being-exploited-wild
___
- http://www.securitytracker.com/id/1026376
Dec 6 2011
Impact: Execution of arbitrary code via network, User access via network
... A remote user can create a specially crafted PDF file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with the privileges of the target user...
- https://secunia.com/advisories/47133/
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
CVE Reference: CVE-2011-2462
Solution: Do not open untrusted PDF files. A fix is scheduled to be released for Adobe Reader and Acrobat 9.x for Windows in the week of December 12, 2011.
Provided and/or discovered by: Reported as a 0-day.
Original Advisory: http://www.adobe.com/support/security/advisories/apsa11-04.html
:fear:
AplusWebMaster
2011-12-08, 14:59
FYI...
Flash Player 0-day vulns - unpatched
- http://www.securitytracker.com/id/1026392
Date: Dec 8 2011
Impact: Execution of arbitrary code via network, User access via network...
Version(s): 11.1.102.55 and prior versions
Description: Two vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system...
Impact: A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: No solution was available at the time of this entry.
___
- http://arstechnica.com/business/news/2011/12/another-adobe-flash-zero-day-for-sale-by-security-software-vendor.ars
December 8, 2011 - "InteVyDis, a Russian firm specializing in packaging software security exploits, has released a software module that can give a remote computer access to an up-to-date Windows 7 machine running the most recent version of Adobe Flash Player 11..."
___
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4693
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4694
CVSS v2 Base Score: 9.3 (HIGH)
Original release date: 12/07/2011
Last revised: 12/13/2011
- https://isc.sans.edu/diary.html?storyid=12166
Last Updated: 2011-12-08 21:52:32 UTC
- https://secunia.com/advisories/47161/
Release Date: 2011-12-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... vulnerability is reported in version 11.1.102.55. Other versions may also be affected.
Solution: Do not browse untrusted sites or disable the player.
Original Advisory:
- http://archives.neohapsis.com/archives/dailydave/2011-q4/0081.html
Dec 06 2011 - "... bypasses DEP/ASLR and works on Win7/WinXP with FF, Chrome and IE..."
:fear::fear:
AplusWebMaster
2011-12-14, 07:22
FYI...
ColdFusion - hotfix...
- https://www.adobe.com/support/security/bulletins/apsb11-29.html
December 13, 2011
CVE number: CVE-2011-2463, CVE-2011-4368
"Summary: Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site scripting attack. Adobe recommends users update their product installation...
Affected software versions: ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/925/cpsid_92512.html ..."
- http://www.securitytracker.com/id/1026405
Dec 13 2011
:fear:
AplusWebMaster
2011-12-16, 21:14
FYI...
- https://www.adobe.com/support/security/bulletins/apsb12-01.html
January 6, 2012 - "Adobe is planning to release updates for Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh to resolve critical security issues. These updates will include fixes for CVE-2011-2462 and CVE-2011-4369... available on Tuesday, January 10, 2012..."
___
Adobe Reader/Acrobat v9.4.7 released
- https://www.adobe.com/support/security/bulletins/apsb11-30.html
Release date: December 16, 2011
CVE numbers:
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2462
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4369
CVSS v2 Base Score: 10.0 (HIGH)
"... Reader and Acrobat 9.x before 9.4.7... as exploited in the wild in December 2011..."
"... updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier... update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier... update to Adobe Acrobat 9.4.7... Users can utilize the product's update mechanism..."
___
- http://www.symantec.com/security_response/threatconlearn.jsp
Updated: Dec 21 - "... For the period of December 8, 2011 through December 20, 2011, Symantec intelligence products have detected a total of -780- attempted exploits of CVE-2011-2462*..."
___
- https://secunia.com/advisories/47133/
Last Update: 2011-12-16
Criticality level: Extremely critical
Solution: Update to version 9.4.7 for Windows. Fixes are scheduled for Adobe Reader/Acrobat X and Adobe Reader for Unix 9.x for January 10, 2012...
- http://h-online.com/-1397440
17 December 2011
:fear::fear: