Old Adobe updates/advisories

Flash Player v10.1.85.3 released...

FYI...

Adobe Flash Player v10.1.85.3 released
- http://www.adobe.com/support/security/bulletins/apsb10-22.html
Sep. 20, 2010 - "A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh... Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1... Users of Flash Player for Android version 10.1.92.10 and earlier can update to Flash Player version 10.1.95.1 by browsing to the Android Marketplace on an Android phone. For users who cannot update to Flash Player 10.1.85.3, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.283, which can be downloaded here*..."
* http://www.adobe.com/go/kb406791

- http://get.adobe.com/flashplayer/
___

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,85,3 installed"
___

- http://secunia.com/advisories/41434/
Last updated 2010-09-21
Criticality level: Extremely critical
Solution: Update to version 9.0.283 or 10.1.85.3...

:fear:
 
Last edited:
Adobe Reader/Acrobat v9.4 update available

FYI...

Adobe Reader/Acrobat v9.4 update available
- http://www.adobe.com/support/security/bulletins/apsb10-21.html
October 5, 2010 - "Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh... Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5... Adobe Reader Users on Windows and Macintosh can utilize the product's update mechanism..."
CVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631, CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658
"... Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5..."

- http://www.adobe.com/support/downloads/new.jsp
10/5/2010

- http://secunia.com/advisories/41340/
Last Update: 2010-10-06
Criticality level: Extremely critical
Impact: System access ...
"... NOTE: The vulnerability is currently being actively exploited..."
Solution: Update to version 8.2.5 and 9.4...

- http://www.securitytracker.com/id?1024511
Oct 6 2010

:fear:
 
Last edited:
Shockwave Player vuln - unpatched

FYI...

Shockwave v11.5.9.615 released
- http://forums.spybot.info/showpost.php?p=387189&postcount=15
___

Shockwave Player vuln - unpatched
- http://secunia.com/advisories/41932/
Release Date: 2010-10-22
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
The vulnerability is confirmed in version 11.5.8.612...
Solution: Do not visit untrusted websites*...
Original Advisory: Adobe:
http://www.adobe.com/support/security/advisories/apsa10-04.html
Last updated: October 27, 2010 - "... As of October 27, Adobe is aware of reports of this vulnerability being exploited in the wild... We are in the process of finalizing a fix for the issue and expect to provide an update for Shockwave Player on October 28, 2010..."
http://blogs.adobe.com/psirt/2010/10/security-advisory-for-adobe-shockwave-player-apsa10-04.html
"... vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3653
Last revised: 10/27/2010
CVSS v2 Base Score: 9.3 (HIGH)

* -and/or- UNINSTALL Shockwave Player. You can live without it.

:fear::fear:
 
Last edited:
Adobe Flash... 0-day... unpatched

FYI...

Adobe Flash... 0-day... unpatched
* http://www.adobe.com/support/security/advisories/apsa10-05.html
Release date: October 28, 2010
CVE number: CVE-2010-3654
"A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player. We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010..."

- http://secunia.com/advisories/41917/
Last Update: 2010-10-29
Criticality level: Extremely critical
NOTE: The vulnerability is currently being actively exploited...
... Adobe plans to release a fixed version on November 9, 2010.
... Reported as a 0-day.
Original Advisory: Adobe APSA10-05*

Adobe Reader/Acrobat ...
- http://secunia.com/advisories/42030/
...Adobe plans to release a fixed version on November 15, 2010.
Original Advisory: Adobe APSA10-05*

Chrome ...
- http://secunia.com/advisories/42031/

- http://www.theregister.co.uk/2010/10/28/adobe_reader_critical_vuln/
28 October 2010
- http://www.virustotal.com/file-scan...8fdcce922ef025302cbca7679a5eae772a-1288229160
File name: nsunday.exe
Submission date: 2010-10-28
Result: 15/42 (35.7%)
There is a more up-to-date report (27/43) for this file...
- http://www.virustotal.com/file-scan...8fdcce922ef025302cbca7679a5eae772a-1288324712
File name: 9F0CEFE847174185030A1F027B3813EC
Submission date: 2010-10-29
Result: 27/43 (62.8%)
___

- http://isc.sans.edu/diary.html?storyid=9835
Last Updated: 2010-10-28 21:51:01 UTC - "... mitigation measures recommended by adobe:
Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.
Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."
More information at
- http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html ..."
___

- http://www.kb.cert.org/vuls/id/298081
2010-10-28 - "... consider the following workarounds: Disable Flash..."

ThreatCon... Elevated.
- http://www.symantec.com/security_response/threatconlearn.jsp
Oct. 29, 2010 - "... Adobe Flash Player, Adobe Reader, and Acrobat... vulnerability... being actively exploited in the wild..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Last revised: 10/29/2010

:fear::fear::fear:
 
Last edited:
Shockwave v11.5.9.615 released

FYI...

Shockwave v11.5.9.615 released
- http://www.adobe.com/support/security/bulletins/apsb10-25.html
CVE number: CVE-2010-2581, CVE-2010-2582, CVE-2010-3653, CVE-2010-3655, CVE-2010-4084, CVE-2010-4085, CVE-2010-4086, CVE-2010-4087, CVE-2010-4088, CVE-2010-4089, CVE-2010-4090
October 28, 2010 - "Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems... Adobe recommends users of Adobe Shockwave Player 11.5.8.612 and earlier versions upgrade to the newest version 11.5.9.615, available here:
- http://get.adobe.com/shockwave/ ..."

:fear:
 
Current 'State of Adobe'...

FYI...

- http://isc.sans.edu/diary.html?storyid=9892
Last Updated: 2010-11-04 22:27:50 UTC - "... current 'State of Adobe'...
Product Latest Version
PDF Reader - v9.4.0 - vulnerable: http://secunia.com/advisories/42095/
Flash Player - 10.1.102.64
Shockwave Player- 11.5.9.615 - vulnerable: http://secunia.com/advisories/42112/
Acrobat - 9.4.0 - vulnerable: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Air - 2.5 ..."
- http://isc.sans.edu/tag.html?tag=adobe
___

Flash update now expected 11.4.2010...
- http://www.adobe.com/support/security/advisories/apsa10-05.html
Last updated: November 2, 2010 - "... We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010. We expect to make available an update for Flash Player 10.x for Android by November 9, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Last revised: 11/01/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear:
 
Last edited:
Flash v10.1.102.64 released...

FYI...

Flash Media Server multiple vulns - update available
- http://secunia.com/advisories/42157/
Release Date: 2010-11-10
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote ...
Solution: Update to Flash Media Server version 3.0.7, 3.5.5, or 4.0.1.
Original Advisory: APSB10-27:
http://www.adobe.com/support/security/bulletins/apsb10-27.html
CVE-2010-3633, CVE-2010-3634, CVE-2010-3635
___

Flash v10.1.102.64 released
- http://www.adobe.com/support/security/advisories/apsa10-05.html
Last updated: November 4, 2010 - "A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android... Adobe recommends... update to Adobe Flash Player 10.1.102.64. For More information, please refer to Security Bulletin APSB10-26*..."
* http://www.adobe.com/support/security/bulletins/apsb10-26.html
Release date: November 4, 2010
CVE number: CVE-2010-3636, CVE-2010-3637, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654, CVE-2010-3976
Platform: All Platforms...
Adobe recommends users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64... users who cannot update to Flash Player 10.1.102.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.289.0, which can be downloaded from: http://www.adobe.com/go/kb406791 ..."

- http://www.adobe.com/support/security/bulletins/apsb10-26.html
Last updated: November 9, 2010 - "... Users of Flash Player for Android version 10.1.95.1 and earlier can update to Flash Player version 10.1.105.6 by browsing to the Android Marketplace on an Android phone*..."
* http://market//details?id=com.adobe.flashplayer
___

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,102,64 installed"
___

- http://www.securitytracker.com/id?1024685
Nov 5 2010
___

Flash Update plugs 18 security holes
- http://krebsonsecurity.com/2010/11/flash-update-plugs-18-security-holes/
v10.1.102.64 ...

:fear::fear:
 
Last edited:
More Adobe vulns ...

FYI...

Adobe Reader vuln
- http://secunia.com/advisories/42095/
Last Update: 2010-11-17
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 9.4.1.

Adobe Shockwave Player vuln - unpatched
- http://secunia.com/advisories/42112/
Last Update: 2010-11-16
Criticality level: Moderately critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
... The vulnerability is confirmed in version 11.5.9.615. Other versions may also be affected.
Solution: Do not open the "Shockwave Settings" window when viewing Shockwave content...
- http://www.securitytracker.com/id?1024682
Nov 4 2010
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4092
Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH)

* -and/or- UNINSTALL Shockwave Player. You can live without it.

:fear::fear:
 
Last edited:
Adobe PDF Reader status...

Adobe Reader/Acrobat v9.4.1 released
- http://forums.spybot.info/showpost.php?p=388827&postcount=20
___

Adobe PDF Reader status:

- http://www.adobe.com/support/security/bulletins/apsb10-28.html
November 12, 2010 - "... updates for Adobe Reader 9.4... and Adobe Acrobat 9.4... Adobe expects to make updates for Windows and Macintosh available on Tuesday, November 16, 2010. An update for UNIX is expected to be available on Monday, November 30, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Original release date: 10/29/2010 - Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH) "... as exploited in the wild in October 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4091
Original release date: 11/07/2010 - Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://secunia.com/advisories/42030/
Release Date: 2010-10-28
- http://secunia.com/advisories/42095/
Last Update: 2010-11-08

- http://contagiodump.blogspot.com/2010/11/cve-2010-3654.html
November 10, 2010

Alternative:
- http://forums.spybot.info/showpost.php?p=389640&postcount=28
FoxIt Reader v4.3.0.1110

:fear::fear:
 
Last edited:
Adobe Reader/Acrobat v9.4.1 released

FYI...

Adobe Reader/Acrobat v9.4.1 released
- http://www.adobe.com/support/security/bulletins/apsb10-28.html
November 16, 2010 - "Critical vulnerabilities... Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1...
Adobe Reader/Acrobat: Users on Windows and Macintosh can utilize the product's update mechanism..."
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4091
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.adobe.com/support/downloads/new.jsp
11/16/2010

:fear:
 
Last edited:
Adobe Reader X released

FYI...

Adobe Reader X released
- http://www.adobe.com/products/reader/tech-specs.html

- http://www.adobe.com/products/reader/features.html

- http://get.adobe.com/reader/otherversions/

- http://www.adobe.com/products/reader.html

- http://www.adobe.com/support/downloads/new.jsp
11/18/2010

- http://isc.sans.edu/diary.html?storyid=9976
Last Updated: 2010-11-19 17:45:42 UTC - "... This is the version of Reader that has sandbox feature built-in, there is now a degree of separation between the OS and the potentially malicious PDF files. The same sandbox mechanism had been implemented in Google Chrome and also MS Office. Containment of the harmful files lessen the damage should a successful attack were to happen..."

- http://en.wikipedia.org/wiki/Sandbox_(computer_security)

:fear:
 
Last edited:
Adobe Photoshop v12.0.3 security update

FYI...

Adobe Photoshop CS5 - Security update
- http://www.adobe.com/support/security/bulletins/apsb10-30.html
December 17, 2010 - "An important library-loading vulnerability has been identified in Adobe Photoshop CS5 12.0.1 and earlier on the Windows platform. Adobe recommends users update their Adobe Photoshop CS5 installations..."
CVE number: CVE-2010-3127

Adobe Photoshop 12.0.3 update
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4949
"... Adobe Photoshop 12.0.3 update fixes a number of high priority bugs including tool tips on Windows XP, painting performance and type-related issues. This update is recommended for all Windows users..."

:fear:
 
Adobe - multiple updates released ...

FYI...

Security updates - Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb11-03.html
February 8, 2011
CVE Numbers: CVE-2010-4091, CVE-2011-0562, CVE-2011-0563, CVE-2011-0564, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0568, CVE-2011-0570, CVE-2011-0585, CVE-2011-0586, CVE-2011-0587, CVE-2011-0588, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0604, CVE-2011-0605, CVE-2011-0606
"Critical vulnerabilities have been identified in Adobe Reader X (10.0) for Windows and Macintosh; Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations. Adobe recommends users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.0.1), available now. Adobe recommends users of Adobe Reader 9.4.1 for UNIX update to Adobe Reader 9.4.2, expected to be available by the week of February 28, 2011. For users of Adobe Reader 9.4.1 and earlier versions for Windows and Macintosh who cannot update to Adobe Reader X (10.0.1), Adobe has made available updates, Adobe Reader 9.4.2 and Adobe Reader 8.2.6. Adobe recommends users of Adobe Acrobat X (10.0) for Windows and Macintosh update to Adobe Acrobat X (10.0.1). Adobe recommends users of Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.2, and users of Adobe Acrobat 8.2.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.6...
Adobe Reader: Users on Windows and Macintosh can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates...
Adobe Acrobat: Users can utilize the product's update mechanism... Update checks can be manually activated by choosing Help > Check for Updates..."

- http://secunia.com/advisories/43207/
Release Date: 2011-02-09
Criticality level: Highly critical
Impact: Cross Site Scripting, Privilege escalation, System access
Where: From remote ...
Solution: Update to version 8.2.6, 9.4.2, or 10.0.1.
___

• Full Download/Updates-Programs/Add-ons...
- http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
___

ColdFusion - Hotfix available...
- http://www.adobe.com/support/security/bulletins/apsb11-04.html
February 8, 2011 - "Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to cross-site scripting, Session Fixation, CRLF injection and information disclosure... Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:
- http://kb2.adobe.com/cps/890/cpsid_89094.html

- http://secunia.com/advisories/43264/
Release Date: 2011-02-09
Criticality level: Moderately critical
Impact: Cross Site Scripting, Exposure of sensitive information
Where: From remote...
Solution: Apply the Hotfix.
Original Advisory: Adobe (APSB11-04):
http://www.adobe.com/support/security/bulletins/apsb11-04.html

:fear::fear:
 
Last edited:
Adobe Flash + Shockwave security updates ...

FYI...

Adobe Flash Player - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-02.html
February 8, 2011
CVE Numbers: CVE-2011-0558, CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0575, CVE-2011-0577, CVE-2011-0578, CVE-2011-0607, CVE-2011-0608
"Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26..."

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,152,26 installed"

- http://secunia.com/advisories/43267/
Release Date: 2011-02-09
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 10.2.152.26.

- http://www.securitytracker.com/id/1025055
Feb 9 2011
___

Shockwave Player - Security update
- http://www.adobe.com/support/security/bulletins/apsb11-01.html
February 8, 2011
CVE number: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589, CVE-2010-4092, CVE-2010-4093, CVE-2010-4187, CVE-2010-4188, CVE-2010-4189, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195, CVE-2010-4196, CVE-2010-4306, CVE-2010-4307, CVE-2011-0555, CVE-2011-0556, CVE-2011-0557, CVE-2011-0569
"Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions update to Adobe Shockwave Player 11.5.9.620... Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions upgrade to the newest version 11.5.9.620, available here:
- http://get.adobe.com/shockwave ..."

- http://www.securitytracker.com/id/1025056
Feb 9 2011

:fear::fear:
 
Last edited:
Adobe exploits-in-the-wild...

FYI...

Flash 0-day targeted attacks...
- http://isc.sans.edu/diary.html?storyid=10549
Last Updated: 2011-03-14 20:09:26 UTC - "Adobe posted a security advisory*... These attacks seem to be particularly sneaky – the Flash exploit is embedded in an Excel file which is also used to setup memory so the exploit has a higher chance of succeeding. We will keep an eye on this and if the 0-day starts being used in the wild..."
___

- http://blog.trendmicro.com/excel-file-containing-adobe-zero-day-exploit-found/
Mar. 16, 2011
___

* http://www.adobe.com/support/security/advisories/apsa11-01.html
March 14, 2011 - "Summary: A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.13 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems. This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment... We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011..."

- http://secunia.com/advisories/43751/
Release Date: 2011-03-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Flash Player 10.x
... The vulnerability is reportedly being actively exploited.
Solution: Adobe plans to release a fixed version during the week of March 21, 2011...

- http://secunia.com/advisories/43772
___

- http://www.us-cert.gov/current/#adobe_releases_security_advisory_for6
March 15, 2011

- http://www.kb.cert.org/vuls/id/192052
Last Updated: 2011-03-15

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.securitytracker.com/id/1025210
Mar 15 2011
- http://www.securitytracker.com/id/1025211
Mar 15 2011

:mad:
 
Last edited:
Android Flash 10.2 update...

FYI...

Flash 10.2 update - for Androids only...
- http://blogs.adobe.com/flashplayer/2011/03/flash-player-10-2-now-available-for-mobile-devices.html
March 18, 2011 - "... To see if your device is certified for Flash Player 10.2, visit:
- http://www.adobe.com/flashplatform/certified_devices/
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)
___

- http://www.adobe.com/support/security/bulletins/apsb11-02.html
Last updated: March 18, 2011 - "... Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26..."

- http://www.adobe.com/support/security/advisories/apsa11-01.html
Last updated: March 18, 2011 - "... A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier... We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011..."

.
 
Last edited:
Flash/Reader/Acrobat critical updates released

FYI...

- http://www.adobe.com/support/security/advisories/apsa11-01.html
March 21, 2011 - Updated with information on Security Bulletin APSB11-05 and Security Bulletin APSB11-06

Flash Player v10.2.153.1 released
- http://www.adobe.com/support/security/bulletins/apsb11-05.html
March 21, 2011 - "A critical vulnerability has been identified in Adobe Flash Player 10.2.152.33 and earlier... Adobe recommends users of Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems update to Adobe Flash Player 10.2.153.1..."

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,2,153,1 installed"
___

Adobe Reader, Acrobat updates released
- http://www.adobe.com/support/security/bulletins/apsb11-06.html
March 21, 2011 - "A critical vulnerability has been identified in the authplay.dll component that ships with Adobe Reader and Acrobat...
> Adobe recommends users of Adobe Reader X (10.0.1) for Macintosh update to Adobe Reader X (10.0.2). For users of Adobe Reader 9.4.2 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.3...
> Adobe recommends users of Adobe Acrobat X (10.0.1) for Windows and Macintosh update to Adobe Acrobat X (10.0.2). Adobe recommends users of Adobe Acrobat 9.4.2 for Windows and Macintosh update to Adobe Acrobat 9.4.3...
> Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
> Adobe Reader 9.x users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
> Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
... Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011..."
___

- http://www.us-cert.gov/current/#adobe_releases_flash_player_update
March 21, 2011
- http://www.us-cert.gov/current/#adobe_releases_security_updates_for7
March 22, 2011
___

Adobe AIR ...
- http://www.securitytracker.com/id/1025238
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Date: Mar 22 2011
"... The vendor has issued a fix (2.6)..."
- http://get.adobe.com/air/

:fear::fear::fear:
 
Last edited:
Adobe exploits in-the-wild ...

FYI...

PDF file loaded w/malware used in attack on Spotify...
- http://forums.spybot.info/showpost.php?p=398775&postcount=109
"... Blackhole Exploit Kit... One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file..."
* http://www.virustotal.com/file-scan...66d1cf9dccb7c2ea3da3d42fd090c97acf-1301413767
File name: L9FPB1.pdf
Submission date: 2011-03-29 15:49:27 (UTC)
Result: 12/43 (27.9%)
___

Flash exploits in-the-wild - SPAM attachments...
- http://www.f-secure.com/weblog/archives/00002127.html
March 23, 2011 - "Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits... Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object. The Flash object starts by doing a heap-spray... the Flash object constructs and loads a second Flash object in runtime... This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap... As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack... users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory*..."
(Screenshots available at the URL above.)
* http://forums.spybot.info/showpost.php?p=398407&postcount=28
Flash Player v10.2.153.1 released

- http://www.f-secure.com/weblog/archives/00002127.html
March 23, 2011

- http://sunbeltblog.blogspot.com/2011/03/tips-for-avoiding-endless-japan.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 03/15/2011
CVSS v2 Base Score: 9.3 (HIGH)
"... as exploited in the wild in March 2011..."

:fear::mad::spider:
 
Last edited:
Flash 0-day exploit in-the-wild ...

FYI...

Flash 0-day exploit in-the-wild ...
- http://krebsonsecurity.com/2011/04/new-adobe-flash-zero-day-being-exploited/
April 11, 2011 3:32 pm - "Attackers are exploiting a previously unknown security flaw in Adobe’s ubiquitous Flash Player software to launch targeted attacks, according to several reliable sources... the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents... A scan of one tainted file used in this attack that was submitted to Virustotal.com* indicates that just one out of 42 anti-virus products used to scan malware at the service detected this thing as malicious..."
* http://www.virustotal.com/file-scan...a1cf9b0b1a25353db7d3142b268893507f-1302359653
File name: Disentangling Industrial Policy and Competition Policy.doc
Submission date: 2011-04-09 14:34:13 (UTC)
Result: 1/42 (2.4%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...a1cf9b0b1a25353db7d3142b268893507f-1304526431
File name: Disentangling Industrial Policy and Competition Policy.doc
Submission date: 2011-05-04 16:27:11 (UTC)
Result: 29/41 (70.7%)

Screenshot of malicious e-mail:
- http://regmedia.co.uk/2011/04/12/malicous_email.jpg
___

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
- http://www.adobe.com/support/security/advisories/apsa11-02.html
April 11, 2011
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system... We are in the process of finalizing a schedule for delivering updates...
Affected software versions:
• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android
• The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue...

- http://secunia.com/advisories/44119/
Release Date: 2011-04-12
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is currently being actively exploited via Office Word documents (.doc) containing malicious Flash content...
Original Advisory: Adobe:
http://blogs.adobe.com/psirt/2011/0...layer-adobe-reader-and-acrobat-apsa11-02.html

- http://secunia.com/advisories/44149/
Release Date: 2011-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is caused due to a vulnerable bundled version of Flash Player (authplay.dll)...

- http://www.securitytracker.com/id/1025324
Apr 12 2011
- http://www.securitytracker.com/id/1025325
Apr 12 2011

:mad:
 
Last edited:
You must log in or register to reply here.
Back
Top