Adobe updates/advisories

Flash v11.3.300.268 released

FYI...

Flash v11.3.300.268 released
- http://forums.adobe.com/message/4582208#4582208
Jul 26, 2012 - "Flash Player 11.3.300.268 for Windows and Macintosh was released to address stability issues when browsing and playing Flash content. For full details on the 11.3 release, please see our release notes*..."
* http://www.adobe.com/support/documentation/en/flashplayer/releasenotes.html

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/
2012.07.27
... The table below contains the latest Flash Player version information:
Windows:
Internet Explorer (and other browsers that support Internet Explorer ActiveX controls and plug-ins) 11.3.300.268
Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers) 11.3.300.268
Macintosh:
OS X Firefox, Opera, Safari 11.3.300.268

:fear:
 
Last edited:
Flash v11.3.300.270 released

FYI...

Flash v11.3.300.270 released
- http://forums.adobe.com/message/4594596#4594596
Aug 2, 2012 - "... Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe). There are no other fixes or changes provided with this build. This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi's (available on the distribution page.) No other platforms are affected... Please be aware that this release is -not- available from the Product Download Center (get.adobe.com/flashplayer) which will continue to provide 11.3.300.268. We realize that this might cause confusion for some users. Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug. Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center. The next release of Flash Player will correct this disparity. Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical. This release will be distributed using the following methods:
• Silent auto update - If enabled and functional, the silent auto update service will automatically install this build within 24 hours.
• Direct download - You can download the installers directly using the links below
IE:
- http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe
Plugin-based browsers:
- http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe
___

- https://blogs.adobe.com/psirt/2012/...ity-updates-for-adobe-reader-and-acrobat.html
August 9, 2012 - "... upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 14, 2012..."
> http://www.adobe.com/go/apsb12-16

Adobe warns of critical holes in Reader, Acrobat
- http://atlas.arbor.net/briefs/
Severity: High Severity
August 09, 2012
Adobe is releasing patches on August 14th to resolve security holes.
Analysis: ... keep these packages up-to-date with automatic update features and ensure updates are applied. Extra layers of hardening around software that integrates with the browser and email client is recommended as these are frequently attacked...

:fear:
 
Last edited:
Flash-Reader-Acrobat-Shockwave critical updates - 2012.08.14 ...

FYI...

> https://www.adobe.com/support/security/

Flash updates v11.3.300.271 / v11.2.202.238 released
- https://www.adobe.com/support/security/bulletins/apsb12-18.html
August 14, 2012
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1535 - 9.3 (HIGH)
Platform: Windows, Macintosh and Linux
Summary: Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271.
- Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
- Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79...

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

- https://secunia.com/advisories/50285/
Last Update: 2012-08-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1535
... vulnerability is currently being actively exploited in targeted attacks via Word documents against the Windows version.
Solution: Update to version 11.3.300.271 for Windows, Mac, and Chrome or version 11.2.202.238 for Linux.
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-18.html
___

Adobe Shockwave v11.6.6.636 released
- https://www.adobe.com/support/security/bulletins/apsb12-17.html
August 14, 2012
CVE number: CVE-2012-2043, CVE-2012-2044, CVE-2012-2045, CVE-2012-2046, CVE-2012-2047
Platform: Windows and Macintosh
Summary:Adobe has released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system...
Solution: Adobe recommends users of Adobe Shockwave Player 11.6.5.635 and earlier versions update to the newest version 11.6.6.636, available here:
http://get.adobe.com/shockwave/ ...

- https://secunia.com/advisories/50283/
Release Date: 2012-08-14
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 11.6.6.636.
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-17.html
___

Adobe Reader/Acrobat X v10.1.4 released
- https://www.adobe.com/support/security/bulletins/apsb12-16.html
August 14, 2012
CVE numbers: CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160, CVE-2012-4161, CVE-2012-4162
[Adobe Reader/Acrobat 9.x -before- 9.5.2 and 10.x -before- 10.1.4 on Windows and Mac OS X]
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4).
For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2.
Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh should update to Adobe Acrobat X (10.1.4).
Users of Adobe Acrobat 9.5.1 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.2...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Acrobat: Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ...

- https://secunia.com/advisories/50281/
Last Update: 2012-08-15
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Software: Adobe Acrobat 9.x, X 10.x, Adobe Reader 9.x, X 10.x
Solution: Apply updates if available.
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-16.html

- https://secunia.com/advisories/50290/
Release Date: 2012-08-15
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, X 10.x, Adobe Reader 9.x, X 10.x
... vulnerabilities are caused due to unspecified errors. No further information is currently available. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Solution: No official solution is currently available...
Original Advisory: http://j00ru.vexillium.org/?p=1175

>> http://h-online.com/-1668153
15 August 2012

:fear::fear::fear:
 
Last edited:
Flash v11.4.402.265 released

Win8 users vulnerable to active Flash exploits
- https://www.computerworld.com/s/art...s_8_users_vulnerable_to_active_Flash_exploits
Sep 08, 2012
___

- https://krebsonsecurity.com/2012/08/new-adobe-flash-player-update-fixes-5-flaws/
Aug. 21, 2012 - "For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild..."

Flash v11.4.402.265 released
- https://www.adobe.com/support/security/bulletins/apsb12-19.html
August 21, 2012
CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168
Platform: All Platforms
Details: Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16.
Revisions: Aug 30, 2012 - Added information regarding CVE-2012-4171
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4171
08/31/2012

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/
___

>> http://get.adobe.com/air/
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to the Adobe AIR 3.4.0.2540.

> These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168)...

- https://www.adobe.com/support/security/severity_ratings.html
"Priority 1: This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours)."
___

- https://secunia.com/advisories/50354/
Release Date: 2012-08-22
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Software: Adobe AIR 3.x, Adobe Flash Player 11.x ...
Solution: Update to a fixed version.
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-19.html

- http://www.securitytracker.com/id/1027422
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4163 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4164 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4165 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4166 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4167 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4168 - 4.3
Aug 22 2012
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): 11.3.300.271 and prior
Solution: The vendor has issued a fix (11.4.402.265 for Windows and OS X; 11.2.202.238 for Linux; 11.1.111.16 for Android 2.x and 3.x; 11.1.115.17 for Android 4.x)...

:fear::fear:
 
Last edited:
ColdFusion DoS vuln/hotfix

FYI...

ColdFusion DoS vuln/hotfix
- https://secunia.com/advisories/50523/
Release Date: 2012-09-11
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: Adobe ColdFusion 10.x, 8.x, 9.x
CVE Reference: CVE-2012-2048
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb12-21.html
Summary: Adobe has released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. This update resolves a vulnerability which could result in a Denial of Service condition. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.
Affected software versions: ColdFusion 10, 9.0.2, 9.0.1, 9.0, 8.0.1, and 8.0 for Windows, Macintosh and UNIX
Solution: Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html .
___

- http://www.securitytracker.com/id/1027516
Sep 11 2012

:fear:
 
Adobe revocation of code signing certificate

FYI...

Adobe revocation of code signing certificate
- https://www.adobe.com/support/security/advisories/apsa12-01.html
Sep 27, 2012 - "Summary: Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products...
Affected software versions: The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website*...
* http://helpx.adobe.com/x-productkb/global/certificate-updates.html

- http://nakedsecurity.sophos.com/201...after-hackers-compromise-server-sign-malware/
Sep 28, 2012 - "... the issue appears to have been the result of hackers compromising a vulnerable build server. Malware seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll). According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter..."

- https://isc.sans.edu/diary.html?storyid=14194
Last Updated: 2012-09-28

- http://h-online.com/-1719955
28 Sep 2012

:fear:
 
Last edited:
Adobe revokes certificate ...

FYI...

Adobe revokes certificate ...
- https://www.adobe.com/support/security/advisories/apsa12-01.html
Last updated: Oct 4, 2012 - "... Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products. The following certificate has been revoked and the certificate revocation list (CRL) is available at:
http://csc3-2010-crl.verisign.com/CSC3-2010.crl ..."
___

Adobe Cert Used to Sign Malware ...
- http://atlas.arbor.net/briefs/index#666340356
Oct 05, 2012

- https://blogs.technet.com/b/mmpc/ar...code-signing-certificate.aspx?Redirected=true
3 Oct 2012

:fear:
 
Last edited:
Flash v11.4.402.287 - AIR v3.4.0.2710 released

FYI...

Flash v11.4.402.287 / AIR v3.4.0.2710 released
- https://www.adobe.com/support/security/bulletins/apsb12-22.html
Oct 8, 2012
CVE numbers: CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.4.402.278 and earlier versions for Windows, Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.238 and earlier for versions for Linux, Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
• Users of Adobe Flash Player 11.4.402.278 and earlier versions for Windows and Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh should update to Adobe Flash Player 11.4.402.287.
• Users of Adobe Flash Player 11.2.202.238 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.243.
• Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.4.31.110 for Windows and Linux, and Flash Player 11.4.402.287 for Macintosh.
• Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version*, which will include Adobe Flash Player 11.3.375.10 for Windows.
• Users of Adobe Flash Player 11.1.115.17 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.20.
• Users of Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.19.
• Users of Adobe AIR 3.4.0.2540 for Windows and Macintosh should update to Adobe AIR 3.4.0.2710.
• Users of the Adobe AIR 3.4.0.2540 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2710 SDK.
• Users of the Adobe AIR 3.4.0.2540 and earlier versions for Android should update to the Adobe AIR 3.4.0.2710...
These updates address critical vulnerabilities in the software...

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

- https://www.us-cert.gov/current/#adobe_releases_security_bulletin_for15
Oct 10, 2012 - Flash v11.4.402.287 released...
___

>> http://get.adobe.com/air/
___

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
* https://technet.microsoft.com/en-us/security/advisory/2755801
Updated: Oct 08, 2012 - "... Microsoft recommends that customers apply the current update -immediately- using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered..."
• V2.0 (October 8, 2012): Added KB2758994** to the Current update section.
** http://support.microsoft.com/kb/2758994
___

- https://secunia.com/advisories/50876/
Release Date: 2012-10-09
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb12-22.html

:fear::fear:
 
Last edited:
Shockwave v11.6.8.638 released

FYI...

Shockwave v11.6.8.638 released
- https://www.adobe.com/support/security/bulletins/apsb12-23.html
Oct 23, 2012
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4172 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4173 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4174 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4175 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4176 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5273 - 10.0 (HIGH)
Platform: Windows and Macintosh
Summary: Adobe has released a security update for Adobe Shockwave Player 11.6.7.637 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to Adobe Shockwave Player 11.6.8.638...
... newest version 11.6.8.638, available here: http://get.adobe.com/shockwave/
... This update addresses critical vulnerabilities in the software...

- https://secunia.com/advisories/51090/
Release Date: 2012-10-24
Criticality level: Highly critical
Impact: System access
Where: From remote
... vulnerabilities are reported in versions 11.6.7.637 and prior for Windows and Macintosh.
Solution: Update to version 11.6.8.638.

:fear:
 
Last edited:
Flash v11.5.502.110 released

FYI...

Flash v11.5.502.110 released
- https://www.adobe.com/support/security/bulletins/apsb12-24.html
Nov 6, 2012
CVE number:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5274 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5275 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5276 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5277 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5278 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5279 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5280 - 10.0 (HIGH)
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110.
- Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows.
- Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27.
- Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24.
- Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600...
These updates address -critical- vulnerabilities in the software...

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

>> http://get.adobe.com/air/

> http://helpx.adobe.com/flash-player/release-note/fp_115_air_35_release_notes.html
___

- https://secunia.com/advisories/51213/
Release Date: 2012-11-07
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
... exploitation of the vulnerabilities may allow execution of arbitrary code...
Solution: Update to a fixed version.
Original Advisory: Adobe (APSB12-24):
http://www.adobe.com/support/security/bulletins/apsb12-24.html

:fear::fear:
 
Last edited:
ColdFusion 10 Hotfix available for Windows

FYI...

ColdFusion 10 Hotfix available for Windows
- https://www.adobe.com/support/security/bulletins/apsb12-25.html
November 19, 2012
CVE number: CVE-2012-5674
Platform: Windows
Summary: Adobe has released a security hotfix for ColdFusion 10 Update 1 and above for Windows. This hotfix resolves a vulnerability affecting ColdFusion on Windows Internet Information Services (IIS), which could result in a Denial of Service condition. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.
Affected software versions: ColdFusion 10 Update 1 and above for Windows
Solution: Adobe recommends customers update their installation of ColdFusion 10 Update 1 and above for Windows to ColdFusion 10 Update 5 using the instructions provided in the technote:
> http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-25.html
___

- https://secunia.com/advisories/51335/
Release Date: 2012-11-20
Criticality level: Moderately critical
Impact: DoS
Where: From remote
CVE Reference: CVE-2012-5674
... vulnerability is reported in version 10 update 1 and higher.
Solution: Update to version 10 update 5...

:fear:
 
Last edited:
Flash Player v11.5.502.135 released

FYI...

Flash Player v11.5.502.135 released
- https://www.adobe.com/support/security/bulletins/apsb12-27.html
Dec 11, 2012
CVE number: CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
- Users of Adobe Flash Player 11.2.202.251 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.258.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.5 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.377.15.
- Users of Adobe Flash Player 11.1.115.27 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.34.
- Users of Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.29.

- Users of Adobe AIR 3.5.0.600 and earlier versions for Windows should update to Adobe AIR 3.5.0.880.
- Users of Adobe AIR 3.5.0.600 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.890.
- Users of the Adobe AIR 3.5.0.600 SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.880 SDK (Windows) or Adobe AIR 3.5.0.890 SDK (Mac)...
- http://get.adobe.com/air/

Flash Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

- https://secunia.com/advisories/51560/
Release Date: 2012-12-12
Criticality level: Highly critical
Impact: System access
Where: From remote...
___

ColdFusion 10 and earlier - Hotfix available
- https://www.adobe.com/support/security/bulletins/apsb12-26.html
December 11, 2012
CVE number: CVE 2012-5675
Platform: All Platforms
Summary: Adobe has released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. This hotfix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment...
Affected software versions:
ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX
Solution:
Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-26.html .

- https://secunia.com/advisories/51551/
Release Date: 2012-12-12
Criticality level: Moderately critical
Impact: Security Bypass
Where: From remote...

:fear:
 
Last edited:
Adobe ColdFusion - multiple vulns ...

FYI...

Adobe ColdFusion - multiple vulns ...
- https://www.adobe.com/support/security/advisories/apsa13-01.html
January 4, 2013
CVE number: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631
Platform: All
Summary: Adobe has identified three vulnerabilities affecting ColdFusion for Windows, Macintosh and UNIX:
CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.
There are reports that these vulnerabilities are being exploited in the wild against ColdFusion customers. Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set. We are in the process of finalizing a fix for the issues and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX will be available on January 15, 2013..."
___

Adobe Reader/Acrobat prenotification for Jan 2013
- https://www.adobe.com/support/security/bulletins/apsb13-02.html
Jan 3, 2013 - "Adobe is planning to release security updates on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux..."

:fear::fear:
 
Flash v11.5.502.146, Reader/Acrobat v11.0.1 released

FYI...

Flash Player v11.5.502.146 released
- https://www.adobe.com/support/security/bulletins/apsb13-01.html
Jan 8, 2013
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0630 - 10.0 (HIGH)
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.135 and earlier versions for Windows, Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.258 and earlier versions for Linux, Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x. These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.135 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.146.
- Users of Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.146.
- Users of Adobe Flash Player 11.2.202.258 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.261.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.137 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.378.5 for Windows: https://support.microsoft.com/kb/2796096
- Users of Adobe Flash Player 11.1.115.34 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.36.
- Users of Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.31.
- Users of Adobe AIR 3.5.0.880 and earlier versions for Windows should update to Adobe AIR 3.5.0.1060.
- Users of Adobe AIR 3.5.0.890 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.1060.
- Users of the Adobe AIR SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.1060 SDK...

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

>> http://get.adobe.com/air/
___

- https://secunia.com/advisories/51771/
Release Date: 2013-01-08
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference: CVE-2013-0630
Solution: Update to a fixed version...
___

Adobe Reader/Acrobat v11.0.1 released
- https://www.adobe.com/support/security/bulletins/apsb13-02.html
Jan 8, 2013
CVE numbers: CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
Platform: All
Summary: Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader XI (11.0.0) for Windows and Macintosh should update to Adobe Reader XI (11.0.1).
- For users of Adobe Reader X (10.1.4) and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader X (10.1.5).
- For users of Adobe Reader 9.5.2 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader 9.5.3.
- Users of Adobe Reader 9.5.1 and earlier versions for Linux should update to Adobe Reader 9.5.3.
- Users of Adobe Acrobat XI (11.0.0) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.1).
- Users of Adobe Acrobat X (10.1.4) and earlier versions for Windows and Macintosh should update to Adobe Acrobat X (10.1.5).
- Users of Adobe Acrobat 9.5.2 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.3...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism...
Adobe Acrobat: Users can utilize the product's update mechanism...
___

- http://www.securitytracker.com/id/1027952
CVE Reference: CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
Jan 8 2013
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.5.2, 10.1.4, 11.0.0; and prior versions
Solution: The vendor has issued a fix (9.5.3, 10.1.5 for Windows/Mac, 11.0.1 for Windows/Mac).
... advisory is available at:
- http://www.adobe.com/support/security/bulletins/apsb13-02.html

:fear::fear:
 
Last edited:
ColdFusion hotfix released

FYI...

ColdFusion hotfix released
- https://www.adobe.com/support/security/advisories/apsa13-01.html
Last updated: January 16, 2013
CVE number: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631, CVE-2013-0632
Platform: All
Summary: Adobe has identified four vulnerabilities affecting ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX:
• CVE-2013-0625 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
• CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
• CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.
• CVE-2013-0632 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
There are reports that these vulnerabilities are being exploited in the wild against ColdFusion customers.
Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX. Adobe recommends users update their product installation using the instructions provided in the "Solution" section of Security Bulletin APSB13-03*..."
* https://www.adobe.com/support/security/bulletins/apsb13-03.html
>> http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html

January 16, 2013 - Advisory revised to correct the versions of ColdFusion vulnerable to CVE-2013-0625.

:fear::fear:
 
Last edited:
Flash v11.5.502.149 released

FYI...

Flash v11.5.502.149 released
- https://www.adobe.com/support/security/bulletins/apsb13-04.html
Feb 7, 2013
CVE number:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0633 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634 - 9.3 (HIGH)
Platform: All Platforms
Summary: Adobe has released security updates... These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149.
- Users of Adobe Flash Player 11.2.202.261 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.262.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.3.379.14 for Windows...
- Users of Adobe Flash Player 11.1.115.36 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.37.
- Users of Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.32.

Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

- https://blogs.adobe.com/psirt/2013/...ailable-for-adobe-flash-player-apsb13-04.html

- https://secunia.com/advisories/52116/
Release Date: 2013-02-08
Criticality level: Extremely critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2013-0633, CVE-2013-0634
... vulnerability is currently being actively exploited in targeted attacks against the Macintosh and Windows versions...
Solution: Update to a fixed version.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb13-04.html
___

MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
"... updates are available from... Windows Update..."
V7.0 (February 7, 2013): Added KB2811522* to the Current update section.
* http://support.microsoft.com/kb/2811522

:fear::fear:
 
Last edited:
Flash v11.6.602.168, Shockware v12.0.0.112 released

FYI...

Flash Player v11.6.602.168 released
- https://www.adobe.com/support/security/bulletins/apsb13-05.html
February 12, 2013
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
https://web.nvd.nist.gov/view/vuln/...CVE-2013-0637&search_type=last3months&cves=on
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.262 and earlier versions for Linux, Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Windows should update to Adobe Flash Player 11.6.602.168.
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.167.
- Users of Adobe Flash Player 11.2.202.262 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.270.
- Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.167 for Windows, Macintosh and Linux.
- Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.167 for Windows.
- Users of Adobe Flash Player 11.1.115.37 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.47.
- Users of Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.43.
- Users of Adobe AIR 3.5.0.1060 and earlier versions should update to Adobe AIR 3.6.0.597.
- Users of the Adobe AIR 3.5.0.1060 SDK (including AIR for iOS) and earlier should update to the new Adobe AIR 3.6.0.599 SDK + Compiler...

- https://www.adobe.com/support/security/bulletins/apsb13-05.html#Ratings
Product Updated version Platform Priority rating
Adobe Flash Player 11.6.602.168 Windows 1

Flash Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://www.adobe.com/software/flash/about/

>> http://get.adobe.com/air/
___

MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
"... updates are available from... Windows Update..."
V8.0 (February 12, 2013): Added KB2805940 to the Current update section.
* http://support.microsoft.com/kb/2805940
___

Shockwave Player v12.0.0.112 released
- https://www.adobe.com/support/security/bulletins/apsb13-06.html
February 12, 2013
CVE number: CVE-2013-0635, CVE-2013-0636
Platform: Windows and Macintosh
Summary: Adobe has released a security update for Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.8.638 and earlier versions update to Adobe Shockwave Player 12.0.0.112...

>> http://get.adobe.com/shockwave/

.
 
Last edited:
Adobe 0-day Reader/Acrobat exploit in-the-wild

FYI...

Adobe 0-day Reader/Acrobat exploit in-the-wild
- https://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html
Feb 12, 2013 10:45 PM - "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog* for the latest information."
* http://blogs.adobe.com/psirt/

- https://secunia.com/advisories/52196/
Release Date: 2013-02-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: No official solution is currently available.
... Reported as a 0-day.
Original Advisory:
- https://www.adobe.com/support/security/advisories/apsa13-02.html
Last updated: Feb 16, 2013
CVE number: CVE-2013-0640, CVE-2013-0641
"... Mitigations: Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method. Further information about enabling Protected View for the enterprise is available here:
> https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedview.html
... Adobe is in the process of working on fixes for these issues and plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013..."

- http://arstechnica.com/security/201...-critical-zero-day-exploit-not-on-by-default/
Feb 14, 2013 - "... the "protected view" feature prevents the current attacks from working — but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK.
There's also a way for administrators to enable protected view on Windows machines across their organization... It's unclear why protected view isn't turned on by default..."

>> http://www.f-secure.com/weblog/archives/AdobeReader11PreferencesProtectedView.png

- http://blog.fireeye.com/research/2013/02/in-turn-its-pdf-time.html
Feb 13, 2013 - "... we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1. Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain... we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public..."

- http://www.f-secure.com/weblog/archives/00002500.html
Feb 13, 2013 - "... Consider mitigating your Adobe Reader usage until there's an update from Adobe..."

- http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-hits-adobe-reader/
Feb 13, 2013 - "... Java, Internet Explorer, Adobe Flash Player, and now, Adobe Reader – just two months into 2013, we have already witnessed high-profile cases in which attackers used zero-day exploits to execute their schemes... To prevent this attack, we highly discourage users from opening unknown .PDF files or those acquired from unverified sources..."
___

ThreatCon is currently at Level 2: Elevated.
- https://www.symantec.com/security_response/threatconlearn.jsp
"... On February 7, 2013, Adobe released a patch for Adobe Flash Player. This release addresses CVE-2013-0633 (BID 57788) and CVE-2013-0634 (BID 57787), which are being actively exploited in the wild, distributed through malicious Word documents...
[superseded by APSB13-05: https://www.adobe.com/support/security/bulletins/apsb13-05.html
... Adobe Flash Player 11.6.602.168... February 12, 2013
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
https://web.nvd.nist.gov/view/vuln/...CVE-2013-0637&search_type=last3months&cves=on ...]"

:sad: :fear:
 
Last edited:
Adobe Reader/Acrobat 11.0.02 released ...

FYI...

Adobe Reader/Acrobat 11.0.02 released
- https://www.adobe.com/support/security/bulletins/apsb13-07.html
February 20, 2013
CVE number:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641 - 9.3 (HIGH)
Platform: All Platforms
"... Adobe recommends users update their product installations to the latest versions:
• Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
• For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
• For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
• Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
• Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
• Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
• Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4...
Adobe recommends users update their software installations by following the instructions below:
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Reader users on Linux can find the appropriate update here:
- ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/
Adobe Acrobat: Users can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard, Pro and Pro Extended users on Windows can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro users on Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ..."

New Downloads:
- https://www.adobe.com/support/downloads/new.jsp

:fear:
 
Last edited:
Flash 11.6.602.171 released

FYI...

Flash 11.6.602.171 released
- https://www.adobe.com/support/security/bulletins/apsb13-08.html
Feb 26, 2013
CVE number:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0504 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0643 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0648 - 9.3 (HIGH)
Platform: All platforms
Adobe has released security updates for Adobe Flash Player 11.6.602.168 and earlier versions for Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.270 and earlier versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Summary: Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
- Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.
- Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
- Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows...

Flash Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site: http://helpx.adobe.com/flash-player...lash_Player_version_installed_on_your_machine
___

MS Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
"... updates are available from... Windows Update..."
Affected Software: Windows 8, Windows Server 2012, Windows RT
V9.0 (February 26, 2013): Added KB2819372 to the Current Update section.
___

- https://secunia.com/advisories/52374/
Release Date: 2013-02-27
Criticality level: Extremely critical
Impact: Security Bypass, System access
Where: From remote...
Solution: Update to a fixed version.
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb13-08.html
___

-Fake- Adobe Flash update page
- https://www.symantec.com/connect/sites/default/files/images/Figure1_6.png
Feb 27, 2013

- http://www.symantec.com/connect/blo...date-installs-ransomware-performs-click-fraud
Feb 27, 2013 - "... To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered."

:fear:
 
Last edited:
You must log in or register to reply here.
Back
Top