-
Adobe Black Tuesday - Jan 2012
FYI...
Adobe Black Tuesday
- https://isc.sans.edu/diary.html?storyid=12364
Last Updated: 2012-01-10 19:38:39 UTC - "Adobe has released 1 bulletin today (Reader & Acrobat: Update to 10.1.2 or 9.5) ...
- http://www.adobe.com/support/securit...apsb12-01.html
• http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-2462 - 10.0 (HIGH)
• http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-4369 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-2470 - 4.3
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-4371 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-4372 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-4373 - 7.5 (HIGH)
Critical ... Users can utilize the product's update mechanism... Help > Check for Updates..."
- https://secunia.com/advisories/45852/
Last Update: 2012-01-16
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 9.5 or 10.1.2.
:fear:
-
Shockwave Player v11.6.4.634 released
FYI...
Shockwave Player v11.6.4.634 released
- https://www.adobe.com/support/securi...apsb12-02.html
Feb 14, 2012
CVE number: CVE-2012-0757, CVE-2012-0758, CVE-2012-0759, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764, CVE-2012-0766
- http://web.nvd.nist.gov/view/vuln/search - (ALL rated CVSS Severity: 10.0 HIGH)
Platform: Windows and Macintosh
Summary: This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.3.633 and earlier versions update to Adobe Shockwave Player 11.6.4.634
... available here: http://get.adobe.com/shockwave/ .
Security update available for RoboHelp for Word
* https://www.adobe.com/support/securi...apsb12-04.html
February 14, 2012
CVE number: CVE-2012-0765
Platform: Windows
Summary: This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows. A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word. Adobe recommends users update their product installation using the instructions (at the URL above*)...
:fear::fear:
-
Flash Player v11.1.102.62 released
FYI...
Flash Player v11.1.102.62 released
- https://www.adobe.com/support/securi...apsb12-03.html
Feb 15, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0751
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0752
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0753
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0754
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0755
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0756
( -ALL- CVSS v2 Base Score: 10.0 HIGH )
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0767 - 4.3 Last revised: 02/25/2012
Platform: All Platforms
Summary: This update addresses critical vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6... For users who cannot update to Flash Player 11.1.102.62, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.15...
Download
>> https://www.adobe.com/products/flash...ribution3.html
- https://market.android.com/details?i...shplayer&hl=en
Flash Player Android...
___
- https://secunia.com/advisories/48033/
Release Date: 2012-02-16
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
... reportedly being actively exploited in targeted attacks.
Original Advisory:
http://www.adobe.com/support/securit...apsb12-03.html
- http://www.securitytracker.com/id/1026694
Date: Feb 16 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...
:fear::fear:
-
Adobe exploits-in-the-wild...
FYI...
Flash Player v11.1.102.62 update
- http://www.symantec.com/security_res...atconlearn.jsp
Feb 24, 2012 - "On February 15, 2012, Adobe released a patch for Flash Player fixing vulnerabilities on all platforms. One of these is a cross-site scripting (XSS) vulnerability that is being exploited in the wild through links in emails (CVE-2012-0767*, BID 52040). A cross-site scripting vulnerability can allow an attacker to make HTTP requests masquerading as the affected user. Since this vulnerability was reported by Google, it is likely that it has been used in attempted attacks on Gmail accounts - similarly to the XSS vulnerability exploited in June 2011 to infiltrate victims' Gmail accounts (CVE-2011-2107). An attacker must entice a user into visiting a malicious link in the email to trigger the vulnerability. Customers are advised to install applicable updates as soon as possible.
Adobe Security Bulletin: Security update available for Adobe Flash Player ..."
http://forums.spybot.info/showpost.p...3&postcount=60
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0767
Last revised: 02/25/2012 - "... before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x... as exploited in the wild in February 2012"
:fear::fear:
-
Flash Player v11.1.102.63 critical update - 2012.03.05
FYI...
Flash Player v11.1.102.63 critical update
- https://www.adobe.com/support/securi...apsb12-05.html
March 5, 2012
CVE number:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0768 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0769 - 5.0
Platform: All Platforms
Summary: "These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.63. Users of Adobe Flash Player 11.1.115.6 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.7. Users of Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.7... For users who cannot update to Flash Player 11.1.102.63, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.16..."
___
Download:
The normal distribution site has been updated to the latest versions (@ 3.06.2012 15:45est):
- https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
___
- https://secunia.com/advisories/48281/
Release Date: 2012-03-06
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote...
Solution: Update to a fixed version...
- http://www.securitytracker.com/id/1026761
Date: Mar 6 2012
CVE Reference: CVE-2012-0768, CVE-2012-0769
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): prior to 11.1.102.63; prior to 11.1.111.7 and 11.1.115.7 for Android
:fear::fear:
-
Flash exploit released ...
FYI...
Flash exploit released...
- http://atlas.arbor.net/briefs/index#-957676977
Severity: Elevated Severity
Published: Thursday, March 08, 2012 20:33
An exploit for a month-old Adobe Flash vulnerability has been released to the public. Ensure systems are protected.
Analysis: This security vulnerability, patched on Feb 15th, was used in a targeted attack around March 5th
- http://contagiodump.blogspot.com/201...s-oil-and.html *
... and now a Metasploit module has been released to the public. Given the widespread install base of Flash, users are strongly encouraged to ensure that patching has taken place. Now that the code is public, it will likely be used in commodity exploit kits very soon to install malware."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0754 - 10.0 (HIGH)
* https://www.virustotal.com/file/6836...ca62/analysis/
File name: us.exe
Detection ratio: 27/43
Analysis date: 2012-03-07 16:19:36 UTC
* https://www.virustotal.com/file/d018...is/1331313285/
File name: CVE-2012-0744-xls.swf
Detection ratio: 8/43
Analysis date: 2012-03-09 17:14:45 UTC
* https://www.virustotal.com/file/b3a9...f4a4/analysis/
File name: 12e36f86ce54576cc38b2edfd13e3a5aa6c8d51c.bin
Detection ratio: 24/43
Analysis date: 2012-03-10 23:57:50 UTC
>> http://forums.spybot.info/showpost.p...7&postcount=62
:fear::fear::sad:
-
ColdFusion security update - Hotfix available...
FYI...
ColdFusion security update - Hotfix available
- https://www.adobe.com/support/securi...apsb12-06.html
March 13, 2012 - "... important vulnerability in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. This vulnerability could lead to a denial of service attack using a hash algorithm collision. Adobe has provided a solution to address the reported vulnerability. It is recommended that users update their product installation using the instructions provided in the "Solution" section... This update resolves a denial of service attack using a hash algorithm collision ( http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0770 )...
Affected software versions: ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote: http://helpx.adobe.com/coldfusion/kb...ty-hotfix.html ..."
- https://secunia.com/advisories/48393/
Release Date: 2012-03-14
:fear:
-
Flash Player v11.2.202.228 released
FYI...
Flash Player v11.2.202.228 released
- https://www.adobe.com/support/securi...apsb12-07.html
March 28, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0772 - 10.0 (HIGH)
Last revised: 03/29/2012
"Summary: An unspecified ActiveX control in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228, and AIR before 3.2.0.2070..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0773 - 10.0 (HIGH)
Last revised: 03/29/2012
"Summary: The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228, and AIR before 3.2.0.2070..."
Platform: All Platforms
Summary: These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system...
Solution: Adobe recommends users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.228... Users of Adobe Flash Player 11.1.102.63 and earlier versions for Solaris should update to Adobe Flash Player 11.2.202.223... Windows users and users of Adobe Flash Player 10.3.183.16 or later for Macintosh can install the update via the update mechanism within the product when prompted. For users who cannot update to Flash Player 11.2.202.228, Adobe has developed a patched version of Flash Player 10.3, Flash Player 10.3.183.18... Android 3.x and earlier versions should update to Flash Player 11.1.111.8 by browsing to the Android Marketplace on an Android device. Users of Adobe AIR 3.1.0.4880 for Windows, Macintosh and Android should update to Adobe AIR 3.2.0.2070...
Download: https://www.adobe.com/products/flash...ribution3.html
AIR 3.2.0.2070: AIR Download Center: http://get.adobe.com/air/
Android Marketplace: https://play.google.com/store/apps/d...shplayer&hl=en
Android Marketplace: https://play.google.com/store/apps/d...=com.adobe.air
Release Notes | Flash Player 11.2, AIR 3.2:
- http://helpx.adobe.com/flash-player/..._20120305.html
___
Flash test site: http://www.adobe.com/software/flash/about/
___
Critical Security Update for Adobe Flash Player
- http://atlas.arbor.net/briefs/index#-330930387
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Adobe releases a critical update for Flash Player, and also rolls in a more functional automatic update process.
Analysis: Flash has been hit hard by malware authors and use for all sorts of attacks. In the past, it's patching mechanism has been flawed and difficult to use, especially for the average computer user. Their new background update function* should make this easier.
Source: https://krebsonsecurity.com/2012/03/...lash-player-2/
* http://download.windowssecrets.com/i...9-PW-Flash.jpg
Flash Player / AIR vulns...
- https://secunia.com/advisories/48623/
Release Date: 2012-03-29
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2012-0772, CVE-2012-0773
Solution: Update to a fixed version...
Original Advisory: http://www.adobe.com/support/securit...apsb12-07.html
- http://www.securitytracker.com/id/1026859
CVE Reference: CVE-2012-0772, CVE-2012-0773
Date: Mar 28 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): 11.1.102.63 and prior versions...
Solution: The vendor has issued a fix (11.2.202.228 for Windows, Mac, and Linux; 11.2.202.223 for Solaris; 11.1.111.8 for Android 3.x).
:fear:
-
Adobe Reader/Acrobat security updates available
FYI...
Adobe Reader/Acrobat security updates available
- https://www.adobe.com/support/securi...8.html#Ratings
April 10, 2012
CVE numbers: CVE-2012-0774, CVE-2012-0775, CVE-2012-0776, CVE-2012-0777
"... Adobe released security updates for Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.2) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.3). For users of Adobe Reader 9.5 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.3), Adobe has made available the update Adobe Reader 9.5.1. Adobe recommends users of Adobe Reader 9.4.6 and earlier versions for Linux update to Adobe Reader 9.5.1. Adobe recommends users of Adobe Acrobat X (10.1.2) for Windows and Macintosh update to Adobe Acrobat X (10.1.3). Adobe recommends users of Adobe Acrobat 9.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.5.1...
Solution: Adobe recommends users update their software installations by following the instructions below:
- Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
- Adobe Reader users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloa...atform=Windows
- Adobe Reader users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloa...form=Macintosh
- Adobe Reader users on Linux can find the appropriate update here: ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/
- Adobe Acrobat: Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
- Acrobat Standard and Pro users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloa...atform=Windows
- Acrobat Pro users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloa...form=Macintosh ..."
___
- http://www.securitytracker.com/id/1026908
Date: Apr 10 2012
CVE Reference: CVE-2012-0774, CVE-2012-0775, CVE-2012-0776, CVE-2012-0777
Impact: Execution of arbitrary code via network, User access via network
Version(s): 9.5 and prior versions; 10.1.2 and prior versions
- https://secunia.com/advisories/48733/
Release Date: 2012-04-11
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote...
... more information:
- https://secunia.com/advisories/48033/
- https://secunia.com/advisories/48281/
- https://secunia.com/advisories/48623/
Solution: Apply updates...
:fear::fear:
-
Flash Player v11.2.202.233 released
FYI...
Flash Player v11.2.202.233 released
- https://www.adobe.com/support/securi...apsb12-07.html
... Google Chrome version 18.0.1025.151 update addresses two Flash Player memory corruption vulnerabilities in the Chrome interface (Google Chrome only) (CVE-2012-0724, CVE-2012-0725).
April 5, 2012 - Added information on CVE-2012-0724, CVE-2012-0725 and corresponding Google Chrome release.
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0724 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0725 - 10.0 (HIGH)
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
___
- http://helpx.adobe.com/flash-player/..._20120305.html
Last updated 2012-04-13
... Current Runtime Release Version(s): Flash Player Desktop: 11.2.202.233
Fixed Issues: Printing to local printer generates unusably large print jobs (3158836)...
.. ??
Download: https://www.adobe.com/products/flash...ribution3.html
___
Flash test site: http://www.adobe.com/software/flash/about/
:fear::fear:
-
Flash Player v11.2.202.235 released
FYI...
Flash Player v11.2.202.235 released - 0-day Fix
- https://www.adobe.com/support/securi...apsb12-09.html
May 4, 2012
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0779
Platform: All Platforms
Summary: ... an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows* only. Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235... Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9...
* Priority 1: This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible...
> https://blogs.adobe.com/psirt/2012/0...apsb12-09.html
Download: https://www.adobe.com/products/flash...ribution3.html
Android: https://market.android.com/details?i...be.flashplayer
___
Flash test site: http://www.adobe.com/software/flash/about/
Flash Player update closes critical object confusion hole
Severity: High Severity
- http://atlas.arbor.net/briefs/
Published: Monday, May 07, 2012
Adobe Flash update addresses critical security hole.
Analysis: This vulnerability has been used in active attacks although they are apparently not widespread attacks. Attackers will often use newer vulnerabilities and 0days on special targets of high value first. At some point, the exploit code will leak or a post-compromise analysis will reveal the vulnerability and/or the exploit involved and then the gates open for more compromise activity by others with a variety of motives.
Source: http://h-online.com/-1568704
- https://www.us-cert.gov/current/#ado...advisory_for14
May 4, 2012
- http://www.securitytracker.com/id/1027023
May 4 2012 - "... vulnerability is being actively exploited against Flash Player on Internet Explorer in targeted cases. Microsoft Vulnerability Research (MSVR) reported this vulnerability..."
:fear::fear:
-
Adobe Black Tuesday for May 2012
FYI...
Adobe Black Tuesday for May 2012
___
APSB12-13 Security update available for Adobe Shockwave Player
- https://www.adobe.com/support/securi...apsb12-13.html
5/8/2012
CVE number: CVE-2012-2029, CVE-2012-2030, CVE-2012-2031, CVE-2012-2032, CVE-2012-2033
Platform: Windows and Macintosh
... security update for Adobe Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635... available here: http://get.adobe.com/shockwave/ ... addresses -critical- vulnerabilities in the software....
APSB12-12 Security bulletin for Adobe Flash Pro
- https://www.adobe.com/support/securi...apsb12-12.html
5/8/2012
CVE number: CVE-2012-0778
Platform: Windows and Macintosh
... security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has released Adobe Flash Professional CS6, which addresses this vulnerability... (paid upgrade)... addresses a -critical- vulnerability in the software...
APSB12-11 Security bulletin for Adobe Photoshop
- https://www.adobe.com/support/securi...apsb12-11.html
5/8/2012
CVE number: CVE-2012-2027, CVE-2012-2028
Platform: Windows and Macintosh
... security upgrade for Adobe Photoshop CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities... (paid upgrade)... could lead to code execution CVE-2012-2027, Bugtraq ID 52634, which references:
http://www.securityfocus.com/bid/52634/ This upgrade resolves a buffer overflow vulnerability that could lead to code execution (CVE-2012-2028)... addresses a -critical- vulnerability in the software...
APSB12-10 Security bulletin for Adobe Illustrator
- https://www.adobe.com/support/securi...apsb12-10.html
5/8/2012
CVE numbers: CVE-2012-0780, CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, CVE-2012-2026
Platform: Windows and Macintosh
... security upgrade for Adobe Illustrator CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe has released Adobe Illustrator CS6, which addresses these vulnerabilities... (paid upgrade)... addresses -critical- vulnerabilities in the software...
___
- https://secunia.com/advisories/49086/ - Shockwave Player
- https://secunia.com/advisories/47116/ - Flash Pro
- https://secunia.com/advisories/48457/ - Photoshop
- https://secunia.com/advisories/47118/ - Illustrator
- http://www.securitytracker.com/id/1027037 - Shockwave Player
- http://www.securitytracker.com/id/1027045 - Flash Pro
- http://www.securitytracker.com/id/1027046 - Photoshop
- http://www.securitytracker.com/id/1027047 - Illustrator
:fear::fear::fear::fear:
-
Adobe to release patches for CS5.x ...
FYI...
Adobe to release patches for CS5.x ...
- http://h-online.com/-1574341
12 May 2012 - "Adobe has announced* – through changes to the security advisories it issued earlier this week – that it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Illustrator and Flash Professional, after previously advising users that they needed to buy the just-released CS6 versions of the applications... Adobe has given no schedule for the availability of patches. In the original 8 May advisories, the company had said only that users of these products would need to purchase the upgrade from the CS5 and CS5.5 versions to the, just shipping on 7 May, CS6 versions to close the critical holes they were detailing; a move that was seen as effectively charging for security fixes..."
* https://blogs.adobe.com/psirt/2012/0...apsb12-12.html
May 11, 2012 - "... We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available..."
___
Adobe Photoshop CS5 Collada File Processing Buffer Overflow Vulnerability
- https://secunia.com/advisories/49160/
Release Date: 2012-05-15
Criticality level: Highly critical
Solution Status: Unpatched...
Adobe Photoshop...
- http://securitytracker.com/id/1027063
Date: May 15 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): CS5.1; possibly other versions...
:fear:
-
Adobe Illustrator and Photoshop fixes released
FYI...
Adobe Illustrator CS5 (15.0.3) and Adobe Illustrator CS5.5 (15.1.1) released
- https://www.adobe.com/support/securi...apsb12-10.html
Last updated: June 4, 2012
CVE numbers: CVE-2012-0780, CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, CVE-2012-2026, CVE-2012-2042
Platform: Windows and Macintosh
"... Adobe has released Adobe Illustrator CS5 (15.0.3) and Adobe Illustrator CS5.5 (15.1.1) to address the vulnerabilities highlighted in this security bulletin... users can find the appropriate update for their version/platform here:
Adobe Illustrator CS5 (15.0.3) for Windows
- http://download.adobe.com/pub/adobe/...tor_15.0.3.zip
Adobe Illustrator CS5 (15.0.3) for Macintosh
- http://download.adobe.com/pub/adobe/...tor_15.0.3.dmg
Adobe Illustrator CS5.5 (15.1.1) for Windows
- http://download.adobe.com/pub/adobe/...tor_15.1.1.zip
Adobe Illustrator CS5.5 (15.1.1) for Macintosh
- http://download.adobe.com/pub/adobe/...tor_15.1.1.dmg ..."
Adobe Photoshop vCS5 (12.0.5) and vCS5.1 (12.1.1) released
- https://www.adobe.com/support/securi...apsb12-11.html
Last updated: June 4, 2012
CVE number: CVE-2012-2027, CVE-2012-2028, CVE-2012-2052
Platform: Windows and Macintosh
"... Adobe has released Adobe Photoshop CS5 (12.0.5) and Adobe Photoshop CS5.1 (12.1.1) to address the vulnerabilities highlighted in this security bulletin... Adobe recommends... customers update their product installations by following the instructions provided in the the technote:
http://helpx.adobe.com/photoshop/kb/...photoshop.html ..."
:fear::fear:
-
Flash Player v11.3.300.257 - AIR v3.3.0.3610 released
FYI...
Flash Player v11.3.300.257 - AIR v3.3.0.3610 released
- https://www.adobe.com/support/securi...apsb12-14.html
June 8, 2012
CVE number:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2034 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2035 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2036 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2037 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2038 - 5.0
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2039 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-2040 - 7.2 (HIGH)
Platform: All Platforms
Summary: Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.2.202.235 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.257.
- Users of Adobe Flash Player 11.2.202.235 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.236.
- Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 19.0.1084.56, which includes Adobe Flash Player 11.3.300.257.
- Users of Adobe Flash Player 11.1.115.8 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.9.
- Users of Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.10.
> https://krebsonsecurity.com/wp-conte...13-600x157.png
Download: https://www.adobe.com/products/flash...ribution3.html
Android: https://market.android.com/details?i...be.flashplayer
Flash test site: http://www.adobe.com/software/flash/about/
___
- Users of Adobe AIR 3.2.0.2070 for Windows, Macintosh and Android should update to Adobe AIR 3.3.0.3610...
Adobe recommends users of Adobe AIR 3.2.0.207 and earlier versions for Windows, Macintosh and Android update to Adobe AIR 3.3.0.3610:
- http://get.adobe.com/air/?promoid=JOPDE
Adobe AIR 3.2.0.2070 and earlier versions for Windows, Macintosh and Android... follow the instructions in the Adobe AIR TechNote:
- http://helpx.adobe.com/air/kb/determ...r-runtime.html
___
Thanks Brian:
- https://krebsonsecurity.com/2012/06/...-flash-player/
June 8, 2012
___
Inside Flash Player Protected Mode for Firefox
- https://blogs.adobe.com/asset/2012/0...r-firefox.html
June 7, 2012
> https://blogs.adobe.com/asset/files/..._processes.jpg
- http://h-online.com/-1614700
9 June 2012
___
- http://www.securitytracker.com/id/1027139
CVE Reference: CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2038, CVE-2012-2039, CVE-2012-2040
Jun 9 2012
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): 11.2.202.235 and prior
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can obtain potentially sensitive information.
Solution: The vendor has issued a fix (11.3.300.257 for Windows and Mac, 11.2.202.236 for Linux, 11.3.300.257 for Chrome, 11.1.115.9 for Android 4.x, 11.1.111.10 for Android 3.x).
The vendor's advisory is available at:
http://www.adobe.com/support/securit...apsb12-14.html
- https://secunia.com/advisories/49388/
Last Update: 2012-06-11
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
Software: Adobe AIR 3.x, Adobe Flash Player 11.x ...
Solution: Update to a fixed version.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb12-14.html
- https://www.us-cert.gov/current/#ado...advisory_for15
June 11, 2012 - 9:11 am
:fear::fear:
-
ColdFusion v9.0.1 hotfix available...
FYI...
ColdFusion v9.0.1 hotfix available...
- https://www.adobe.com/support/securi...apsb12-15.html
June 12, 2012
CVE number: CVE-2012-2041
Platforms: All
Summary: Adobe released a security hotfix for ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. This update resolves an HTTP response splitting vulnerability in the ColdFusion Component Browser. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.
Affected software versions: ColdFusion 9.0.1, 9.0, 8.0.1, and 8.0 for Windows, Macintosh and UNIX
*Note: ColdFusion 10 for Windows, Macintosh and UNIX is not affected by this issue.
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://helpx.adobe.com/coldfusion/kb...apsb12-15.html ...
- http://www.securitytracker.com/id/1027146
CVE Reference: CVE-2012-2041
Jun 12 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Version(s): 8.0, 8.0.1, 9.0, 9.0.1
:fear:
-
Flash crash - Firefox 13 ...
FYI...
Firefox v13.0.1 released
>>> http://forums.spybot.info/showpost.p...0&postcount=28
June 16, 2012
___
Flash crash - Firefox 13...
- http://h-online.com/-1619399
15 June 2012 - "The latest release of the Flash Player plugin, version 11.3, is causing frequent crashes in Firefox 13 on Windows. The problem seems to be related to the recently introduced Protection Mode, which is supposed to make the plugin run in a sandbox to isolate it from the rest of the system. The number of users experiencing this problem is now so large that Mozilla and Adobe are both offering differing solutions for a fix... Users should on -no- account -downgrade- to build 11.2... as it is known to contain critical security vulnerabilities which are currently being actively exploited... users should install Flash Player 10.3*, in which the vulnerabilities in question have been fixed in a similar way to version 11.3 since Adobe is continuing to supply enterprise customers with security patches for Flash 10."
* http://fpdownload.macromedia.com/get..._10_plugin.exe
:sad:
-
Flash v11.3.300.262 - Plugin-based browsers
FYI...
Flash Player v11.3.300.262 released
> http://forums.adobe.com/thread/1027238
Jun 21, 2012 - "... the Windows Flash Player plug-in for Firefox, Mozilla, Netscape, Opera and other browsers was updated to 11.3.300.262. This release addresses stability issue found in Mozilla Firefox. This build does not address the audio issues reported by some customers but we continue to focus on these problems and will continue to do so until they are resolved. If you continue to have problems with this release, please see this tech note* for suggestions and instructions for reporting these issues to us: Flash Player 11.3 compatibility issues with RealPlayer extension in Mozilla Firefox. For full details on the 11.3 release, please see our release notes**."
* http://helpx.adobe.com/flash-player/...h-mozilla.html
Last updated: 2012-06-22
** http://helpx.adobe.com/flash-player/...n_Known_Issues
Last updated: 2012-06-21
___
> https://www.adobe.com/products/flash...ribution3.html
Windows Flash Player 11.3.300.262 ... Plugin-based browsers:
> http://download.macromedia.com/get/f..._11_plugin.exe
___
Flash test site: http://www.adobe.com/software/flash/about/
:confused:
-
Flash Pro CS5.5 Security Update 11.5.2
FYI...
Flash Pro CS5.5 Security Update 11.5.2
- https://www.adobe.com/support/securi...apsb12-12.html
Last Updated: June 25, 2012
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0778 - 10.0 (HIGH)
Platform: Windows and Macintosh
Summary: Adobe released a security update for Adobe Flash Professional CS5.5 (11.5.1.349 and earlier) for Windows and Macintosh. This update addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Note that Adobe Flash Professional CS6 (12.0.0.481) for Windows and Macintosh addresses this vulnerability. No update is required for users of Adobe Flash Professional CS6 (12.0.0.481) for Windows and Macintosh.
Affected software versions: Adobe Flash Professional CS5.5 (11.5.1.349 and 11.5.0.325) and earlier versions for Windows and Macintosh
Solution: Adobe has released Adobe Flash Professional CS5.5 (11.5.2.349) to address the vulnerability highlighted in this security bulletin. Adobe recommends Adobe Flash Professional CS5.5 (11.5.1.349 and earlier) customers update their product installation by following the instructions provided in the technote:
- http://helpx.adobe.com/flash/kb/flas...ty-update.html
...The Security Update is available for download at:
- https://www.adobe.com/support/flash/...html#flashCS55
... This update addresses a critical vulnerability in the software.
Revisions:
June 25, 2012 - Added information on release of update to Adobe Flash Professional CS5.5 (11.5.1.349 and 11.5.0.325).
:fear::fear:
-
Flash v11.3.300.265 released
FYI...
Flash v11.3.300.265 released
- http://forums.adobe.com/message/4551666#4551666
Jul 11, 2012 - "Flash Player 11.3 Update
Today, Flash Player 11.3.300.265 for Windows and Macintosh was released to address critical audio and stability issues.
For full details on the 11.3 release, please see our release notes.
http://www.adobe.com/support/documen...easenotes.html ..."
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
2012.07.11
... The table below contains the latest Flash Player version information:
Windows:
Internet Explorer (and other browsers that support Internet Explorer ActiveX controls and plug-ins) 11.3.300.265
Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers) 11.3.300.265
Chrome 11.3.300.265
Macintosh:
OS X Firefox, Opera, Safari 11.3.300.265
Chrome 11.3.300.265
:fear:
-
Flash v11.3.300.268 released
FYI...
Flash v11.3.300.268 released
- http://forums.adobe.com/message/4582208#4582208
Jul 26, 2012 - "Flash Player 11.3.300.268 for Windows and Macintosh was released to address stability issues when browsing and playing Flash content. For full details on the 11.3 release, please see our release notes*..."
* http://www.adobe.com/support/documen...easenotes.html
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
2012.07.27
... The table below contains the latest Flash Player version information:
Windows:
Internet Explorer (and other browsers that support Internet Explorer ActiveX controls and plug-ins) 11.3.300.268
Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers) 11.3.300.268
Macintosh:
OS X Firefox, Opera, Safari 11.3.300.268
:fear:
-
Flash v11.3.300.270 released
FYI...
Flash v11.3.300.270 released
- http://forums.adobe.com/message/4594596#4594596
Aug 2, 2012 - "... Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe). There are no other fixes or changes provided with this build. This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi's (available on the distribution page.) No other platforms are affected... Please be aware that this release is -not- available from the Product Download Center (get.adobe.com/flashplayer) which will continue to provide 11.3.300.268. We realize that this might cause confusion for some users. Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug. Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center. The next release of Flash Player will correct this disparity. Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical. This release will be distributed using the following methods:
• Silent auto update - If enabled and functional, the silent auto update service will automatically install this build within 24 hours.
• Direct download - You can download the installers directly using the links below
IE:
- http://download.macromedia.com/pub/f..._player_ax.exe
Plugin-based browsers:
- http://download.macromedia.com/pub/f...ash_player.exe
___
- https://blogs.adobe.com/psirt/2012/0...d-acrobat.html
August 9, 2012 - "... upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 14, 2012..."
> http://www.adobe.com/go/apsb12-16
Adobe warns of critical holes in Reader, Acrobat
- http://atlas.arbor.net/briefs/
Severity: High Severity
August 09, 2012
Adobe is releasing patches on August 14th to resolve security holes.
Analysis: ... keep these packages up-to-date with automatic update features and ensure updates are applied. Extra layers of hardening around software that integrates with the browser and email client is recommended as these are frequently attacked...
:fear:
-
Flash-Reader-Acrobat-Shockwave critical updates - 2012.08.14 ...
FYI...
> https://www.adobe.com/support/security/
Flash updates v11.3.300.271 / v11.2.202.238 released
- https://www.adobe.com/support/securi...apsb12-18.html
August 14, 2012
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-1535 - 9.3 (HIGH)
Platform: Windows, Macintosh and Linux
Summary: Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271.
- Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
- Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79...
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
- https://secunia.com/advisories/50285/
Last Update: 2012-08-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
CVE Reference: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-1535
... vulnerability is currently being actively exploited in targeted attacks via Word documents against the Windows version.
Solution: Update to version 11.3.300.271 for Windows, Mac, and Chrome or version 11.2.202.238 for Linux.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb12-18.html
___
Adobe Shockwave v11.6.6.636 released
- https://www.adobe.com/support/securi...apsb12-17.html
August 14, 2012
CVE number: CVE-2012-2043, CVE-2012-2044, CVE-2012-2045, CVE-2012-2046, CVE-2012-2047
Platform: Windows and Macintosh
Summary:Adobe has released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system...
Solution: Adobe recommends users of Adobe Shockwave Player 11.6.5.635 and earlier versions update to the newest version 11.6.6.636, available here:
http://get.adobe.com/shockwave/ ...
- https://secunia.com/advisories/50283/
Release Date: 2012-08-14
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 11.6.6.636.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb12-17.html
___
Adobe Reader/Acrobat X v10.1.4 released
- https://www.adobe.com/support/securi...apsb12-16.html
August 14, 2012
CVE numbers: CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160, CVE-2012-4161, CVE-2012-4162
[Adobe Reader/Acrobat 9.x -before- 9.5.2 and 10.x -before- 10.1.4 on Windows and Mac OS X]
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4).
For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2.
Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh should update to Adobe Acrobat X (10.1.4).
Users of Adobe Acrobat 9.5.1 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.2...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh
Adobe Acrobat: Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloa...atform=Windows
Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloa...atform=Windows
Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloa...form=Macintosh ...
- https://secunia.com/advisories/50281/
Last Update: 2012-08-15
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Software: Adobe Acrobat 9.x, X 10.x, Adobe Reader 9.x, X 10.x
Solution: Apply updates if available.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb12-16.html
- https://secunia.com/advisories/50290/
Release Date: 2012-08-15
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, X 10.x, Adobe Reader 9.x, X 10.x
... vulnerabilities are caused due to unspecified errors. No further information is currently available. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Solution: No official solution is currently available...
Original Advisory: http://j00ru.vexillium.org/?p=1175
>> http://h-online.com/-1668153
15 August 2012
:fear::fear::fear:
-
Flash v11.4.402.265 released
Win8 users vulnerable to active Flash exploits
- https://www.computerworld.com/s/arti...Flash_exploits
Sep 08, 2012
___
- https://krebsonsecurity.com/2012/08/...fixes-5-flaws/
Aug. 21, 2012 - "For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild..."
Flash v11.4.402.265 released
- https://www.adobe.com/support/securi...apsb12-19.html
August 21, 2012
CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168
Platform: All Platforms
Details: Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16.
Revisions: Aug 30, 2012 - Added information regarding CVE-2012-4171
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4171
08/31/2012
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
___
>> http://get.adobe.com/air/
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to the Adobe AIR 3.4.0.2540.
> These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168)...
- https://www.adobe.com/support/securi...y_ratings.html
"Priority 1: This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours)."
___
- https://secunia.com/advisories/50354/
Release Date: 2012-08-22
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Software: Adobe AIR 3.x, Adobe Flash Player 11.x ...
Solution: Update to a fixed version.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb12-19.html
- http://www.securitytracker.com/id/1027422
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4163 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4164 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4165 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4166 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4167 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4168 - 4.3
Aug 22 2012
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): 11.3.300.271 and prior
Solution: The vendor has issued a fix (11.4.402.265 for Windows and OS X; 11.2.202.238 for Linux; 11.1.111.16 for Android 2.x and 3.x; 11.1.115.17 for Android 4.x)...
:fear::fear:
-
ColdFusion DoS vuln/hotfix
FYI...
ColdFusion DoS vuln/hotfix
- https://secunia.com/advisories/50523/
Release Date: 2012-09-11
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: Adobe ColdFusion 10.x, 8.x, 9.x
CVE Reference: CVE-2012-2048
Original Advisory: http://www.adobe.com/support/securit...apsb12-21.html
Summary: Adobe has released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. This update resolves a vulnerability which could result in a Denial of Service condition. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.
Affected software versions: ColdFusion 10, 9.0.2, 9.0.1, 9.0, 8.0.1, and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
http://helpx.adobe.com/coldfusion/kb...apsb12-21.html .
___
- http://www.securitytracker.com/id/1027516
Sep 11 2012
:fear:
-
Adobe revocation of code signing certificate
FYI...
Adobe revocation of code signing certificate
- https://www.adobe.com/support/securi...apsa12-01.html
Sep 27, 2012 - "Summary: Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products...
Affected software versions: The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website*...
* http://helpx.adobe.com/x-productkb/g...e-updates.html
- http://nakedsecurity.sophos.com/2012...-sign-malware/
Sep 28, 2012 - "... the issue appears to have been the result of hackers compromising a vulnerable build server. Malware seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll). According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter..."
- https://isc.sans.edu/diary.html?storyid=14194
Last Updated: 2012-09-28
- http://h-online.com/-1719955
28 Sep 2012
:fear:
-
Adobe revokes certificate ...
FYI...
Adobe revokes certificate ...
- https://www.adobe.com/support/securi...apsa12-01.html
Last updated: Oct 4, 2012 - "... Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products. The following certificate has been revoked and the certificate revocation list (CRL) is available at:
http://csc3-2010-crl.verisign.com/CSC3-2010.crl ..."
___
Adobe Cert Used to Sign Malware ...
- http://atlas.arbor.net/briefs/index#666340356
Oct 05, 2012
- https://blogs.technet.com/b/mmpc/arc...edirected=true
3 Oct 2012
:fear:
-
Flash v11.4.402.287 - AIR v3.4.0.2710 released
FYI...
Flash v11.4.402.287 / AIR v3.4.0.2710 released
- https://www.adobe.com/support/securi...apsb12-22.html
Oct 8, 2012
CVE numbers: CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.4.402.278 and earlier versions for Windows, Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.238 and earlier for versions for Linux, Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
• Users of Adobe Flash Player 11.4.402.278 and earlier versions for Windows and Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh should update to Adobe Flash Player 11.4.402.287.
• Users of Adobe Flash Player 11.2.202.238 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.243.
• Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.4.31.110 for Windows and Linux, and Flash Player 11.4.402.287 for Macintosh.
• Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version*, which will include Adobe Flash Player 11.3.375.10 for Windows.
• Users of Adobe Flash Player 11.1.115.17 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.20.
• Users of Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.19.
• Users of Adobe AIR 3.4.0.2540 for Windows and Macintosh should update to Adobe AIR 3.4.0.2710.
• Users of the Adobe AIR 3.4.0.2540 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2710 SDK.
• Users of the Adobe AIR 3.4.0.2540 and earlier versions for Android should update to the Adobe AIR 3.4.0.2710...
These updates address critical vulnerabilities in the software...
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
- https://www.us-cert.gov/current/#ado...bulletin_for15
Oct 10, 2012 - Flash v11.4.402.287 released...
___
>> http://get.adobe.com/air/
___
Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
* https://technet.microsoft.com/en-us/...visory/2755801
Updated: Oct 08, 2012 - "... Microsoft recommends that customers apply the current update -immediately- using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered..."
• V2.0 (October 8, 2012): Added KB2758994** to the Current update section.
** http://support.microsoft.com/kb/2758994
___
- https://secunia.com/advisories/50876/
Release Date: 2012-10-09
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/securit...apsb12-22.html
:fear::fear:
-
Shockwave v11.6.8.638 released
FYI...
Shockwave v11.6.8.638 released
- https://www.adobe.com/support/securi...apsb12-23.html
Oct 23, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4172 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4173 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4174 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4175 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4176 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5273 - 10.0 (HIGH)
Platform: Windows and Macintosh
Summary: Adobe has released a security update for Adobe Shockwave Player 11.6.7.637 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to Adobe Shockwave Player 11.6.8.638...
... newest version 11.6.8.638, available here: http://get.adobe.com/shockwave/
... This update addresses critical vulnerabilities in the software...
- https://secunia.com/advisories/51090/
Release Date: 2012-10-24
Criticality level: Highly critical
Impact: System access
Where: From remote
... vulnerabilities are reported in versions 11.6.7.637 and prior for Windows and Macintosh.
Solution: Update to version 11.6.8.638.
:fear:
-
Flash v11.5.502.110 released
FYI...
Flash v11.5.502.110 released
- https://www.adobe.com/support/securi...apsb12-24.html
Nov 6, 2012
CVE number:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5274 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5275 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5276 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5277 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5278 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5279 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-5280 - 10.0 (HIGH)
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110.
- Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows.
- Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27.
- Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24.
- Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600...
These updates address -critical- vulnerabilities in the software...
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
>> http://get.adobe.com/air/
> http://helpx.adobe.com/flash-player/...ase_notes.html
___
- https://secunia.com/advisories/51213/
Release Date: 2012-11-07
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
... exploitation of the vulnerabilities may allow execution of arbitrary code...
Solution: Update to a fixed version.
Original Advisory: Adobe (APSB12-24):
http://www.adobe.com/support/securit...apsb12-24.html
:fear::fear:
-
ColdFusion 10 Hotfix available for Windows
FYI...
ColdFusion 10 Hotfix available for Windows
- https://www.adobe.com/support/securi...apsb12-25.html
November 19, 2012
CVE number: CVE-2012-5674
Platform: Windows
Summary: Adobe has released a security hotfix for ColdFusion 10 Update 1 and above for Windows. This hotfix resolves a vulnerability affecting ColdFusion on Windows Internet Information Services (IIS), which could result in a Denial of Service condition. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.
Affected software versions: ColdFusion 10 Update 1 and above for Windows
Solution: Adobe recommends customers update their installation of ColdFusion 10 Update 1 and above for Windows to ColdFusion 10 Update 5 using the instructions provided in the technote:
> http://helpx.adobe.com/coldfusion/kb...apsb12-25.html
___
- https://secunia.com/advisories/51335/
Release Date: 2012-11-20
Criticality level: Moderately critical
Impact: DoS
Where: From remote
CVE Reference: CVE-2012-5674
... vulnerability is reported in version 10 update 1 and higher.
Solution: Update to version 10 update 5...
:fear:
-
Flash Player v11.5.502.135 released
FYI...
Flash Player v11.5.502.135 released
- https://www.adobe.com/support/securi...apsb12-27.html
Dec 11, 2012
CVE number: CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
- Users of Adobe Flash Player 11.2.202.251 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.258.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.5 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.377.15.
- Users of Adobe Flash Player 11.1.115.27 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.34.
- Users of Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.29.
- Users of Adobe AIR 3.5.0.600 and earlier versions for Windows should update to Adobe AIR 3.5.0.880.
- Users of Adobe AIR 3.5.0.600 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.890.
- Users of the Adobe AIR 3.5.0.600 SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.880 SDK (Windows) or Adobe AIR 3.5.0.890 SDK (Mac)...
- http://get.adobe.com/air/
Flash Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
- https://secunia.com/advisories/51560/
Release Date: 2012-12-12
Criticality level: Highly critical
Impact: System access
Where: From remote...
___
ColdFusion 10 and earlier - Hotfix available
- https://www.adobe.com/support/securi...apsb12-26.html
December 11, 2012
CVE number: CVE 2012-5675
Platform: All Platforms
Summary: Adobe has released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. This hotfix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment...
Affected software versions:
ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX
Solution:
Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
http://helpx.adobe.com/coldfusion/kb...apsb12-26.html .
- https://secunia.com/advisories/51551/
Release Date: 2012-12-12
Criticality level: Moderately critical
Impact: Security Bypass
Where: From remote...
:fear:
-
Adobe ColdFusion - multiple vulns ...
FYI...
Adobe ColdFusion - multiple vulns ...
- https://www.adobe.com/support/securi...apsa13-01.html
January 4, 2013
CVE number: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631
Platform: All
Summary: Adobe has identified three vulnerabilities affecting ColdFusion for Windows, Macintosh and UNIX:
CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.
There are reports that these vulnerabilities are being exploited in the wild against ColdFusion customers. Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set. We are in the process of finalizing a fix for the issues and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX will be available on January 15, 2013..."
___
Adobe Reader/Acrobat prenotification for Jan 2013
- https://www.adobe.com/support/securi...apsb13-02.html
Jan 3, 2013 - "Adobe is planning to release security updates on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux..."
:fear::fear:
-
Flash v11.5.502.146, Reader/Acrobat v11.0.1 released
FYI...
Flash Player v11.5.502.146 released
- https://www.adobe.com/support/securi...apsb13-01.html
Jan 8, 2013
CVE number: http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0630 - 10.0 (HIGH)
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.135 and earlier versions for Windows, Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.258 and earlier versions for Linux, Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x. These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.135 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.146.
- Users of Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.146.
- Users of Adobe Flash Player 11.2.202.258 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.261.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.137 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.378.5 for Windows: https://support.microsoft.com/kb/2796096
- Users of Adobe Flash Player 11.1.115.34 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.36.
- Users of Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.31.
- Users of Adobe AIR 3.5.0.880 and earlier versions for Windows should update to Adobe AIR 3.5.0.1060.
- Users of Adobe AIR 3.5.0.890 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.1060.
- Users of the Adobe AIR SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.1060 SDK...
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
>> http://get.adobe.com/air/
___
- https://secunia.com/advisories/51771/
Release Date: 2013-01-08
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference: CVE-2013-0630
Solution: Update to a fixed version...
___
Adobe Reader/Acrobat v11.0.1 released
- https://www.adobe.com/support/securi...apsb13-02.html
Jan 8, 2013
CVE numbers: CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
Platform: All
Summary: Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader XI (11.0.0) for Windows and Macintosh should update to Adobe Reader XI (11.0.1).
- For users of Adobe Reader X (10.1.4) and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader X (10.1.5).
- For users of Adobe Reader 9.5.2 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader 9.5.3.
- Users of Adobe Reader 9.5.1 and earlier versions for Linux should update to Adobe Reader 9.5.3.
- Users of Adobe Acrobat XI (11.0.0) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.1).
- Users of Adobe Acrobat X (10.1.4) and earlier versions for Windows and Macintosh should update to Adobe Acrobat X (10.1.5).
- Users of Adobe Acrobat 9.5.2 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.3...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism...
Adobe Acrobat: Users can utilize the product's update mechanism...
___
- http://www.securitytracker.com/id/1027952
CVE Reference: CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
Jan 8 2013
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.5.2, 10.1.4, 11.0.0; and prior versions
Solution: The vendor has issued a fix (9.5.3, 10.1.5 for Windows/Mac, 11.0.1 for Windows/Mac).
... advisory is available at:
- http://www.adobe.com/support/securit...apsb13-02.html
:fear::fear:
-
ColdFusion hotfix released
FYI...
ColdFusion hotfix released
- https://www.adobe.com/support/securi...apsa13-01.html
Last updated: January 16, 2013
CVE number: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631, CVE-2013-0632
Platform: All
Summary: Adobe has identified four vulnerabilities affecting ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX:
• CVE-2013-0625 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
• CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
• CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.
• CVE-2013-0632 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
There are reports that these vulnerabilities are being exploited in the wild against ColdFusion customers.
Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX. Adobe recommends users update their product installation using the instructions provided in the "Solution" section of Security Bulletin APSB13-03*..."
* https://www.adobe.com/support/securi...apsb13-03.html
>> http://helpx.adobe.com/coldfusion/kb...apsb13-03.html
January 16, 2013 - Advisory revised to correct the versions of ColdFusion vulnerable to CVE-2013-0625.
:fear::fear:
-
Flash v11.5.502.149 released
FYI...
Flash v11.5.502.149 released
- https://www.adobe.com/support/securi...apsb13-04.html
Feb 7, 2013
CVE number:
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0633 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0634 - 9.3 (HIGH)
Platform: All Platforms
Summary: Adobe has released security updates... These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149.
- Users of Adobe Flash Player 11.2.202.261 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.262.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.3.379.14 for Windows...
- Users of Adobe Flash Player 11.1.115.36 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.37.
- Users of Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.32.
Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
- https://blogs.adobe.com/psirt/2013/0...apsb13-04.html
- https://secunia.com/advisories/52116/
Release Date: 2013-02-08
Criticality level: Extremely critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2013-0633, CVE-2013-0634
... vulnerability is currently being actively exploited in targeted attacks against the Macintosh and Windows versions...
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/securit...apsb13-04.html
___
MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/s...visory/2755801
"... updates are available from... Windows Update..."
V7.0 (February 7, 2013): Added KB2811522* to the Current update section.
* http://support.microsoft.com/kb/2811522
:fear::fear:
-
Flash v11.6.602.168, Shockware v12.0.0.112 released
FYI...
Flash Player v11.6.602.168 released
- https://www.adobe.com/support/securi...apsb13-05.html
February 12, 2013
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
https://web.nvd.nist.gov/view/vuln/s...months&cves=on
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.262 and earlier versions for Linux, Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Windows should update to Adobe Flash Player 11.6.602.168.
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.167.
- Users of Adobe Flash Player 11.2.202.262 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.270.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.167 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.167 for Windows.
- Users of Adobe Flash Player 11.1.115.37 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.47.
- Users of Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.43.
- Users of Adobe AIR 3.5.0.1060 and earlier versions should update to Adobe AIR 3.6.0.597.
- Users of the Adobe AIR 3.5.0.1060 SDK (including AIR for iOS) and earlier should update to the new Adobe AIR 3.6.0.599 SDK + Compiler...
- https://www.adobe.com/support/securi...5.html#Ratings
Product Updated version Platform Priority rating
Adobe Flash Player 11.6.602.168 Windows 1
Flash Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://www.adobe.com/software/flash/about/
>> http://get.adobe.com/air/
___
MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/s...visory/2755801
"... updates are available from... Windows Update..."
V8.0 (February 12, 2013): Added KB2805940 to the Current update section.
* http://support.microsoft.com/kb/2805940
___
Shockwave Player v12.0.0.112 released
- https://www.adobe.com/support/securi...apsb13-06.html
February 12, 2013
CVE number: CVE-2013-0635, CVE-2013-0636
Platform: Windows and Macintosh
Summary: Adobe has released a security update for Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.8.638 and earlier versions update to Adobe Shockwave Player 12.0.0.112...
>> http://get.adobe.com/shockwave/
.
-
Adobe 0-day Reader/Acrobat exploit in-the-wild
FYI...
Adobe 0-day Reader/Acrobat exploit in-the-wild
- https://blogs.adobe.com/psirt/2013/0...ty-report.html
Feb 12, 2013 10:45 PM - "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog* for the latest information."
* http://blogs.adobe.com/psirt/
- https://secunia.com/advisories/52196/
Release Date: 2013-02-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: No official solution is currently available.
... Reported as a 0-day.
Original Advisory:
- https://www.adobe.com/support/securi...apsa13-02.html
Last updated: Feb 16, 2013
CVE number: CVE-2013-0640, CVE-2013-0641
"... Mitigations: Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method. Further information about enabling Protected View for the enterprise is available here:
> https://www.adobe.com/devnet-docs/ac...ectedview.html
... Adobe is in the process of working on fixes for these issues and plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013..."
- http://arstechnica.com/security/2013...on-by-default/
Feb 14, 2013 - "... the "protected view" feature prevents the current attacks from working — but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK.
There's also a way for administrators to enable protected view on Windows machines across their organization... It's unclear why protected view isn't turned on by default..."
>> http://www.f-secure.com/weblog/archi...tectedView.png
- http://blog.fireeye.com/research/201...-pdf-time.html
Feb 13, 2013 - "... we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1. Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain... we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public..."
- http://www.f-secure.com/weblog/archives/00002500.html
Feb 13, 2013 - "... Consider mitigating your Adobe Reader usage until there's an update from Adobe..."
- http://blog.trendmicro.com/trendlabs...-adobe-reader/
Feb 13, 2013 - "... Java, Internet Explorer, Adobe Flash Player, and now, Adobe Reader – just two months into 2013, we have already witnessed high-profile cases in which attackers used zero-day exploits to execute their schemes... To prevent this attack, we highly discourage users from opening unknown .PDF files or those acquired from unverified sources..."
___
ThreatCon is currently at Level 2: Elevated.
- https://www.symantec.com/security_re...atconlearn.jsp
"... On February 7, 2013, Adobe released a patch for Adobe Flash Player. This release addresses CVE-2013-0633 (BID 57788) and CVE-2013-0634 (BID 57787), which are being actively exploited in the wild, distributed through malicious Word documents...
[superseded by APSB13-05: https://www.adobe.com/support/securi...apsb13-05.html
... Adobe Flash Player 11.6.602.168... February 12, 2013
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
https://web.nvd.nist.gov/view/vuln/s...months&cves=on ...]"
:sad: :fear:
-
Adobe Reader/Acrobat 11.0.02 released ...
FYI...
Adobe Reader/Acrobat 11.0.02 released
- https://www.adobe.com/support/securi...apsb13-07.html
February 20, 2013
CVE number:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0640 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0641 - 9.3 (HIGH)
Platform: All Platforms
"... Adobe recommends users update their product installations to the latest versions:
• Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
• For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
• For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
• Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
• Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
• Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
• Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4...
Adobe recommends users update their software installations by following the instructions below:
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloa...atform=Windows
Adobe Reader users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloa...form=Macintosh
Adobe Reader users on Linux can find the appropriate update here:
- ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/
Adobe Acrobat: Users can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard, Pro and Pro Extended users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloa...atform=Windows
Acrobat Pro users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloa...form=Macintosh ..."
New Downloads:
- https://www.adobe.com/support/downloads/new.jsp
:fear:
-
Flash 11.6.602.171 released
FYI...
Flash 11.6.602.171 released
- https://www.adobe.com/support/securi...apsb13-08.html
Feb 26, 2013
CVE number:
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0504 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0643 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0648 - 9.3 (HIGH)
Platform: All platforms
Adobe has released security updates for Adobe Flash Player 11.6.602.168 and earlier versions for Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.270 and earlier versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Summary: Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
- Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.
- Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
- Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows...
Flash Download:
> https://www.adobe.com/products/flash...ribution3.html
Flash test site: http://helpx.adobe.com/flash-player/...n_your_machine
___
MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/s...visory/2755801
"... updates are available from... Windows Update..."
Affected Software: Windows 8, Windows Server 2012, Windows RT
V9.0 (February 26, 2013): Added KB2819372 to the Current Update section.
___
- https://secunia.com/advisories/52374/
Release Date: 2013-02-27
Criticality level: Extremely critical
Impact: Security Bypass, System access
Where: From remote...
Solution: Update to a fixed version.
Original Advisory: Adobe:
http://www.adobe.com/support/securit...apsb13-08.html
___
-Fake- Adobe Flash update page
- https://www.symantec.com/connect/sit.../Figure1_6.png
Feb 27, 2013
- http://www.symantec.com/connect/blog...ms-click-fraud
Feb 27, 2013 - "... To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered."
:fear: