Sun Solaris Adobe Flash Player Multiple vuln - update available
FYI...
Sun Solaris Adobe Flash Player Multiple vuln - update available
- http://secunia.com/advisories/36518/2/
Release Date: 2009-09-03
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
OS: Sun Solaris 10
Solution: Apply patches.
-- SPARC Platform --
Solaris 10: Apply patch 125332-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
-- x86 Platform --
Solaris 10: Apply patch 125333-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
Original Advisory:
http://sunsolve.sun.com/search/docum...=1-66-266108-1
"... issues can occur in Adobe Flash Player 9.0.159.0 and earlier 9.x versions and 10.0.22.87 and earlier 10.x versions..."
:fear:
Adobe Reader/Acrobat vuln - unpatched
FYI...
Adobe Reader/Acrobat vuln - unpatched
- http://blogs.adobe.com/psirt/2009/10...t_issue_1.html
October 8, 2009 - "Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update*, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date..."
* http://www.adobe.com/support/securit...apsb09-15.html
- http://secunia.com/advisories/36983/2/
Release Date: 2009-10-09
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
- http://blog.trendmicro.com/new-adobe-zero-day-exploit/
Oct. 9, 2009 - "... users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:
1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK..."
:fear:
Adobe Reader 9.2 and Acrobat 9.2 released
FYI...
Adobe Reader 9.2 and Acrobat 9.2 released
- http://www.adobe.com/support/securit...apsb09-15.html
October 13, 2009 - "... This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459*)... Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX...
Solution:
Adobe Reader
- Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh
- Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloa...&platform=Unix
Acrobat
- Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh ..."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3459
Last revised: 10/13/2009
CVSS v2 Base Score: 9.3 (HIGH)
Adobe Plugs 29 Critical Reader, Acrobat Holes
- http://voices.washingtonpost.com/sec...reader_ac.html
October 13, 2009
CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462
- http://blogs.adobe.com/psirt/2009/10...rity_upda.html
October 13, 2009
:fear:
Adobe Shockwave Player v11.5.2.602 released
FYI...
Adobe Shockwave Player v11.5.2.602 released
- http://www.adobe.com/support/securit...apsb09-16.html
Release date: November 3, 2009
Affected software versions: Shockwave Player 11.5.1.601 and earlier versions
Solution: Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here:
http://get.adobe.com/shockwave/
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
CVE number:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3244
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3463
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3464
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3465
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3466
Platform: Windows and Macintosh
Once again, still ...
- http://voices.washingtonpost.com/sec..._for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."
Test site:
- http://www.adobe.com/shockwave/welcome/
- http://secunia.com/advisories/37214/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 11.5.2.602...
- http://news.techworld.com/security/3...e-player-bugs/
"... installed on some 450 million PCs..."
:fear:
Flash Player update - pre-notification of Security Update
FYI...
Pre-Notification - Security Update for Adobe Flash Player
- http://www.adobe.com/support/securit...apsb09-19.html
December 3, 2009 - "Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Adobe expects to make these updates available on December 8, 2009...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions
Severity rating: Adobe categorizes these as critical updates."
Also see: Adobe Illustrator
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-4195
- http://www.adobe.com/support/securit...apsa09-06.html
December 07, 2009 - "... Adobe plans to make available an update to Adobe Illustrator to resolve the issue by January 8, 2010. Adobe recommends customers avoid opening .eps files from unknown or untrusted sources in Illustrator until a patch is available..."
:fear:
Flash Player v10.0.42.34 released
FYI...
Flash Player v10.0.42.34 released
- http://www.adobe.com/support/securit...apsb09-19.html
December 8, 2009 - "... All Platforms...
Affected software versions:
Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions...
Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...
CVE numbers: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951 ..."
- http://www.adobe.com/support/securit...apsb09-19.html
Revisions: December 10, 2009 - Bulletin updated with corrected version numbers in Details section and link to Flash Player 9 under Solution.
"... For users who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.260, which can be downloaded from the following link:
http://www.adobe.com/go/kb406791 "
- http://get.adobe.com/flashplayer/
Browser: Firefox, Safari, Opera - install_flash_player.exe
- http://get.adobe.com/flashplayer/otherversions/
Internet Explorer - install_flash_player_ax.exe
- http://get.adobe.com/air/
- http://secunia.com/advisories/37584/2/
Release Date: 2009-12-09
Critical: Highly critical
Impact: Exposure of system information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x ...
Solution: Update to Flash Player version 10.0.42.34 and AIR version 1.5.3...
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb09-19.html
:fear:
0-day Adobe Reader and Acrobat exploit in the wild
FYI...
0-day Adobe Reader and Acrobat exploit in the wild
- http://www.symantec.com/connect/blog...y-xmas-present
December 14, 2009 - "Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed -confirmed- the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H*. We have reported our findings to Adobe who have acknowledged the vulnerability in this blog**..."
* http://www.symantec.com/business/sec...121422-3337-99
** http://blogs.adobe.com/psirt/2009/12...acrobat_v.html
December 14, 2009 - "... vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)..."
- http://secunia.com/advisories/37690/2/
Last Update: 2009-12-16
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, Adobe Reader 9.x ...
...Fixed versions will reportedly be available by January 12, 2010*..."
* http://www.adobe.com/support/securit...apsa09-07.html
- http://www.shadowserver.org/wiki/pmw...endar/20091214
December 14, 2009 - "... this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself...
Disable JavaScript. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
... we strongly recommend you disable JavaScript..."
:fear::fear:
Security Advisory for Adobe Reader and Acrobat
FYI...
Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/securit...apsa09-07.html
December 15, 2009 - "... Adobe has confirmed a -critical- vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions... Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue...
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote* for more information. Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Customers using Microsoft DEP ("Data Execution Prevention") functionality available in certain versions of Microsoft Windows are at reduced risk..."
* http://kb2.adobe.com/cps/532/cpsid_53237.html
:fear:
0-day Adobe Reader/Acrobat updated...
FYI...
(0-day ...updated) Adobe Reader/Acrobat memory corruption vulns
- http://secunia.com/advisories/37690/
Last Update: 2009-12-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
Software: Adobe Acrobat... Reader...
Description:
-Two- vulnerabilities have been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system.
1) An error in the implementation of the "Doc.media.newPlayer()" JavaScript method can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file.
NOTE: This vulnerability is currently being actively exploited.
2) An array indexing error exists in 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. This can potentially be exploited to corrupt memory and execute arbitrary code via a PDF file containing a specially crafted U3D model.
The vulnerabilities are confirmed in version 9.2. Other versions may also be affected...
- http://secunia.com/advisories/37690/2/
"... Solution:
> Do not open untrusted PDF files. Do not browse untrusted websites or follow untrusted links.
> Use the JavaScript Blacklist functionality* to block the "Doc.media.newPlayer()" method. Please see the vendor's advisory for more information.
> Versions fixing vulnerability #1 will reportedly be available by January 12, 2010...
2009-12-29: Added vulnerability #2 to the advisory..."
* http://www.adobe.com/support/securit...apsa09-07.html
"... Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat..."
:fear::fear:
Adobe Reader v9.3 released
FYI...
Adobe Reader v9.3 released
- http://www.adobe.com/support/securit...apsb10-02.html
January 12, 2010 - "... Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh update to Acrobat 8.2. For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. Updates apply to all platforms: Windows, Macintosh and UNIX...
- http://get.adobe.com/reader
CVE numbers: CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957, CVE-2009-3958, CVE-2009-3959, CVE-2009-4324
Platform: All ...
Severity rating:
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."
Release notes:
- http://kb2.adobe.com/cps/520/cpsid_52073.html
- http://secunia.com/advisories/38138/2/
Release Date: 2010-01-13 - "... Support has ended for Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh, and UNIX...
Solution: ...Upgrade to version 8.2 or 9.3..."
:fear::fear: