Page 3 of 11 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 107

Thread: Old Adobe updates/advisories

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Shockwave Player vuln - update v11.5.0.600 available

    FYI...

    Shockwave Player vuln - update v11.5.0.600 available
    - http://www.adobe.com/support/securit...apsb09-08.html
    June 23, 2009 - "A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system... To resolve this issue, Shockwave Player users on Windows should -uninstall- Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/ . This issue is remotely exploitable..."

    - http://voices.washingtonpost.com/sec..._for_adob.html
    June 25, 2009 - "...Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

    http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1860
    http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2186

    - http://secunia.com/advisories/35544/2/
    Release Date: 2009-06-24
    Critical: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Shockwave Player 11.x ...
    Solution: Uninstall versions prior to 11.5.0.600, restart the system, and install version 11.5.0.600:
    http://get.adobe.com/shockwave/

    - http://www.us-cert.gov/current/#adob..._for_shockwave
    June 24, 2009

    Last edited by AplusWebMaster; 2009-06-29 at 19:54. Reason: Added Secunia, US-CERT, and SecurityFix links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation ColdFusion 8 input sanitization issue

    FYI...

    Hotfix available for potential ColdFusion 8 input sanitization issue
    - http://www.adobe.com/support/securit...apsb09-09.html
    July 8, 2009 - "... Adobe recommends affected ColdFusion customers update their installation using the instructions below:
    NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1*
    * http://www.adobe.com/support/coldfus...dates.html#cf8 ...
    Severity rating: Adobe categorizes this as a critical issue and recommends affected users patch their installations..."
    Revisions: July 9, 2009 - Bulletin updated with Acknowledgment and information on ColdFusion 8.0 hotfix
    (More detail and links at the first URL above.)

    - http://secunia.com/advisories/35747/2/
    Release Date: 2009-07-09
    Critical: Highly critical
    Impact: Exposure of system information, Exposure of sensitive information, System access
    Solution: Update to version 8.0.1 and apply hot fix...

    - http://blog.trendmicro.com/coldfusio...ss-compromise/
    July 8, 2009

    Last edited by AplusWebMaster; 2009-07-11 at 11:50. Reason: Added Secunia advisory, Trendmicro link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 0-day exploit in the wild - Adobe Flash player...

    FYI...

    - http://blogs.adobe.com/psirt/2009/07...r_and_fla.html
    July 21, 2009 - "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."

    > http://isc.sans.org/diary.html?storyid=6847
    Last Updated: 2009-07-22 22:26:39 UTC ...(Version: 3) - "... the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well. And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal*)...
    UPDATE: At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected. It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is -confirmed- to work)."
    * http://preview.tinyurl.com/l3wg89
    File 34d6452000e1a9e0308702d082c897008a0481b0.EXE received on 2009.07.22 16:49:07 (UTC)
    Result: 7/41 (17.07%)

    - http://www.us-cert.gov/current/#adob...obat_and_flash

    - http://www.kb.cert.org/vuls/id/259425
    2009-07-22

    - http://blogs.technet.com/srd/archive...gy-part-2.aspx
    June 12, 2009
    > FixIt4Me - Enable DEP for Office
    > FixIt4Me - Enable DEP for IE


    - http://www.theregister.co.uk/2009/07...tacks_go_wild/
    22 July 2009

    Update on Adobe Reader, Acrobat and Flash Player Issue
    - http://blogs.adobe.com/psirt/2009/07...r_acrobat.html
    July 22, 2009 7:08 PM

    Last edited by AplusWebMaster; 2009-07-23 at 14:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy

    FYI...

    - http://www.adobe.com/support/securit...apsa09-03.html
    July 22, 2009 - "... We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009..."

    - http://securitylabs.websense.com/con...erts/3449.aspx
    07.23.2009

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1862
    Last revised: 07/24/2009
    CVSS v2 Base Score: 9.3 (HIGH)

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2580
    Last revised: 07/24/2009
    CVSS v2 Base Score: 9.3 (HIGH)

    - http://www.securityfocus.com/bid/35759/info
    Updated: Jul 23 2009

    - http://bugs.adobe.com/jira/browse/FP-1265
    Created: 12/31/08

    - http://www.symantec.com/business/sec...512-99&tabid=2
    Discovered: July 22, 2009 - "...The Trojan arrives in a specially crafted .pdf file that exploits a vulnerability in Adobe Flash Player. When executed the Trojan drops the following files on the compromised computer:
    * %Temp%\SUCHOST.EXE (Trojan Horse)
    * %Temp%\TEMP.EXE (A non-malicious file.)
    Note: The SUCHOST.EXE file may open a back door that connects to the following domains:
    * http ://aop1.homelinux .com
    * http ://connectproxy.3322 .org
    * http ://csport.2288 .org ..." [DO NOT VISIT]

    Last edited by AplusWebMaster; 2009-07-28 at 19:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow 0-day Flash Player info update...

    FYI...

    - http://www.adobe.com/support/securit...apsa09-04.html
    July 28, 2009 - "Adobe Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This critical vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.

    Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are -not- vulnerable. We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows by July 30, 2009.

    Users should consider installing MS09-034*. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035**..."

    * http://www.microsoft.com/technet/sec.../ms09-034.mspx

    ** http://www.microsoft.com/technet/sec.../ms09-035.mspx

    - http://secunia.com/advisories/35948/2/
    Solution Status: Unpatched
    Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
    Changelog: 2009-07-29: Added information about control having been built using a vulnerable version of ATL.

    Last edited by AplusWebMaster; 2009-07-29 at 16:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Adobe Shockwave v11.5.1.601 released

    FYI...

    Adobe Shockwave v11.5.1.601 released
    - http://www.adobe.com/support/securit...apsb09-11.html
    July 28, 2009 - "...Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ .
    Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

    Once again ...
    - http://voices.washingtonpost.com/sec..._for_adob.html
    "... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

    - http://secunia.com/advisories/36049/2/
    Release Date: 2009-07-29
    Critical: Highly critical
    Impact: System access, Exposure of sensitive information, Security Bypass
    Where: From remote
    Solution Status: Vendor Patch
    Software: Shockwave Player 10.x, Shockwave Player 11.x, Shockwave Player 8.x, Shockwave Player 9.x
    Solution: Update to version 11.5.1.601.
    http://get.adobe.com/shockwave/
    Original Advisory:
    http://www.adobe.com/support/securit...apsb09-11.html ...

    - http://www.us-cert.gov/current/#adob...ware_player_11
    updated July 31, 2009

    Test site: http://www.adobe.com/shockwave/welcome/

    Last edited by AplusWebMaster; 2009-08-01 at 17:05. Reason: Added Secunia advisory, US-CERT links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Flash Player v10.0.32.18 released

    FYI...

    Flash Player v10.0.32.18 released
    - http://get.adobe.com/flashplayer/
    July 30, 2009 - Browser: Firefox, Safari, Opera
    install_flash_player.exe

    - http://get.adobe.com/flashplayer/otherversions/
    July 30, 2009 - Internet Explorer
    install_flash_player_ax.exe

    Adobe Flash Player
    - http://www.adobe.com/support/securit...apsb09-10.html
    Release date: July 30, 2009
    CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870
    "... Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2*... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
    * http://get.adobe.com/air/
    Adobe AIR 1.5.2 Installer - Windows , English | 15.1 MB
    ___

    - http://www.adobe.com/support/securit...apsb09-10.html
    Revisions:
    July 31, 2009 - Bulletin updated with Adobe Reader and Acrobat updates, and correct Adobe Flash Player 9 download link.
    ... http://www.adobe.com/support/flashpl...loads.html#fp9
    ___

    - http://www.adobe.com/support/securit...apsb09-10.html
    Last revised: August 3, 2009 - "... Adobe recommends all users of Adobe Flash Player... upgrade to the newest version 10.0.32.18..."

    - http://secunia.com/advisories/35948/2/
    Last Update: 2009-08-10
    Critical: Highly critical
    Impact: Security Bypass, Exposure of sensitive information, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Adobe AIR 1.x, Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
    Solution: Update to Flash Player 9.0.246.0 or 10.0.32.18 and Adobe AIR version 1.5.2.
    Flash Player version 10.0.32.18: http://www.adobe.com/go/getflashplayer ...
    Adobe AIR version 1.5.2. http://get.adobe.com/air ...

    - http://www.adobe.com/support/securit...apsb09-11.html
    Release date: July 28, 2009 - "... Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ ..."

    - http://secunia.com/advisories/36049/2/
    Release Date: 2009-07-29
    Critical: Highly critical ...
    Solution: Update to version 11.5.1.601.
    http://get.adobe.com/shockwave/

    Test both here: http://www.adobe.com/shockwave/welcome/
    Last edited by AplusWebMaster; 2009-08-12 at 21:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Adobe Reader v9.1.3 - Acrobat v9.1.3 released

    FYI...

    Adobe Reader v9.1.3 - Acrobat v9.1.3 released
    - http://www.adobe.com/support/securit...apsa09-03.html
    Last Updated: July 31, 2009
    "...Adobe Reader
    Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date...
    Adobe Reader users on Windows can find the appropriate update here:
    http://www.adobe.com/support/downloa...atform=Windows.
    ... Adobe Reader 9.1.3 update - Multiple Languages | 1.6MB | 7/31/2009 ...
    Adobe Reader users on Macintosh can find the appropriate update here:
    http://www.adobe.com/support/downloa...form=Macintosh.
    Adobe Reader users on UNIX can find the appropriate update here:
    http://www.adobe.com/support/downloa...&platform=Unix.
    Acrobat
    Acrobat Standard and Pro users on Windows can find the appropriate update here:
    http://www.adobe.com/support/downloa...atform=Windows.
    ... Adobe Acrobat 9.1.3 Professional and Standard Update - Multiple Languages 1.6MB | 7/31/2009
    Acrobat Pro Extended users on Windows can find the appropriate update here:
    http://www.adobe.com/support/downloa...atform=Windows.
    Acrobat Pro users on Macintosh can find the appropriate update here:
    http://www.adobe.com/support/downloa...form=Macintosh.
    Severity rating
    Adobe categorizes these as critical issues and recommends affected users patch their installations..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Adobe ColdFusion/JRun updated

    FYI...

    Adobe ColdFusion / JRun multiple vulns - updates available
    - http://secunia.com/advisories/36329/2/
    Release Date: 2009-08-18
    Critical: Moderately critical
    Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Adobe ColdFusion 8.x, Adobe ColdFusion MX 7.x, Macromedia Jrun 4.x ...
    Original Advisory: Adobe:
    http://www.adobe.com/support/securit...apsb09-12.html
    "... Adobe categorizes these as critical issues and recommends affected users patch their installations..."

    - http://www.us-cert.gov/current/index...for_coldfusion
    August 18, 2009

    - http://www.adobe.com/support/securit...apsb09-12.html
    August 21, 2009 - Bulletin updated with additional information regarding CVE-2009-1876.

    > http://download.macromedia.com/pub/c..._1872_1877.txt
    "ColdFusion... hotfix includes fixes for CVE-2009-1872, CVE-2009-1877..."
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1872
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1877

    > http://download.macromedia.com/pub/c...eadMe_1875.txt
    "ColdFusion... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1..."
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1875

    > http://download.macromedia.com/pub/c...eadMe_1876.txt
    "ColdFusion... fix for CVE-2009-1876..."
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1876

    > http://download.macromedia.com/pub/c...eadMe_1878.txt
    "... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1.."
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1878

    > http://download.macromedia.com/pub/c..._1873_1874.txt
    "JRun... fixes for CVE-2009-1873, CVE-2009-1874..."
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1873
    > http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1874

    Last edited by AplusWebMaster; 2009-08-22 at 04:33. Reason: Bulletin updated...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Flash cookie snoops...

    FYI...

    Sites pulling sneaky Flash cookie-snoop
    - http://www.theregister.co.uk/2009/08/19/flash_cookies/
    19 August 2009 - "Many websites are using Flash-based cookies to track users, but often omit to mention this in their privacy policies... Browser-based cookies constitute a well understood and widely deployed technology that poses serious questions about privacy, depending on its usage. What's far less well known is that Adobe Flash software also features cookies that can be used in much the same way as HTTP cookies. Flash cookies can be used for storing the volume level of a Flash video but the technology can also be used as "secondary, redundant unique identifiers that enable advertisers to circumvent user preferences and self-help"... researchers conclude that Flash cookies are more effective at tracking users' visits around websites than traditional HTTP cookies because they operate in the shadows and are infrequently removed. By default Flash cookies have no built-in expiration date. Browser-based actions such as deleting browser histories or switching to private mode does not affect the operation of Flash cookies..."

    - https://addons.mozilla.org/firefox/addon/6623
    Better privacy - "... Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you. Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion..."

    > http://www.macromedia.com/support/do...manager07.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •