Old Adobe updates/advisories

[AplusWebMaster]

Targeted (PDF) attacks...

FYI...

Targeted (PDF) attacks...
- http://www.f-secure.com/weblog/archives/00001859.html
January 18, 2010 - "F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were emailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week. The PDF file was quite convincing and it looked like it came from the Department of Defense... The document talks about a real conference to be held in Las Vegas in March. When opened to Adobe Reader, the file exploited the CVE-2009-4324* vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday. The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 140.136.148.42. In order to avoid detection, it bypasses the local web proxy when doing this connection. Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324
"... Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X..."

(Screenshots available at the F-secure URL above.)

 

[AplusWebMaster]

Shockwave v11.5.6.606 released

FYI...

Shockwave v11.5.6.606 released
- http://www.adobe.com/support/security/bulletins/apsb10-03.html
Release date: January 19, 2010
CVE number: CVE-2009-4002, CVE-2009-4003
Platform: Windows and Macintosh
"... Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606, available here: http://get.adobe.com/shockwave/ ... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

- http://news.techworld.com/security/3205708/adobe-patches-five-critical-shockwave-player-bugs/
"... installed on some 450 million PCs..."

- http://secunia.com/advisories/37888/2/
Release Date: 2010-01-20
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Director 11.x, Adobe Shockwave Player 11.x
Solution: Update to Shockwave version 11.5.6.606.

:fear:

 

[AplusWebMaster]

Adobe multiple vulns - Flash/Reader/Acrobat/ColdFusion - more

FYI...

Adobe Flash Player Domain Sandbox Bypass Vuln
- http://secunia.com/advisories/38547/
Release Date: 2010-02-12
Criticality level: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash CS3, Adobe Flash CS4, Adobe Flash Player 10.x, Adobe Flex 3.x
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb10-06.html
"...Details:
A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187).
Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2.
- http://get.adobe.com/flashplayer/
*Adobe recommends all users of Adobe AIR version 1.5.3.9120 and earlier update to the newest version 1.5.3.9130..."
- http://get.adobe.com/air/
Revisions: February 12, 2010 - Bulletin updated with corrected version numbers for AIR.*
- http://atlas.arbor.net/briefs/index#1106299496
February 15, 2010 - "High Severity... Analysis: This is a serious issue that we encourage all sites to schedule an update..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0186
Last revised: 02/26/2010
Flash Player before 10.0.45.2, AIR before 1.5.3.9130...
CVSS v2 Base Score: 6.8 (MEDIUM)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0187
Last revised: 02/26/2010
Flash Player before 10.0.45.2, AIR before 1.5.3.9130...
CVSS v2 Base Score: 4.3 (MEDIUM)

Adobe Products XML Processing Information Disclosure
- http://secunia.com/advisories/38543/
Release Date: 2010-02-12
Criticality level: Moderately critical
Impact: Exposure of system information, Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch
Software: Adobe BlazeDS 3.x, Adobe ColdFusion 8.x, Adobe ColdFusion 9.x, Adobe ColdFusion MX 7.x, Adobe Flex Data Services 2.x, Adobe LiveCycle 8.x, Adobe LiveCycle 9.x, Adobe LiveCycle Data Services 2.x, Adobe LiveCycle Data Services 3.x
Solution: Apply patches. Please see the vendor's advisory for required installation steps.
Original Advisory: http://www.adobe.com/support/security/bulletins/apsb10-05.html
"... Summary:
An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3960
Last revised: 02/26/2010
BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0...
CVSS v2 Base Score: 4.3 (MEDIUM)

:fear:

 

[AplusWebMaster]

Adobe Reader/Acrobat critical update released

FYI...

Adobe Reader/Acrobat critical update released
- http://www.adobe.com/support/security/bulletins/apsb10-07.html
February 16, 2010 - "... this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.)
Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.
Affected software versions:
Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh
Solution: Adobe Reader:
Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/products/reader/unix9/ (download latest update from 9.3.1 folder)...
Adobe Acrobat:
Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/new.jsp .
Severity rating:
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
Last revised: 02/26/2010
Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1...
CVSS v2 Base Score: 10.0 (HIGH)

- http://secunia.com/advisories/38551/
Last Update: 2010-02-17
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x, Adobe Acrobat 9.x, Adobe Reader 8.x, Adobe Reader 9.x
Solution: Update to version 8.2.1 or 9.3.1.

- http://blog.trendmicro.com/adobe-releases-out-of-band-patch-for-adobe-reader-and-acrobat/
Feb. 21, 2010

:fear::fear:

 

[AplusWebMaster]

FYI...

Adobe Download Manager - critical update
- http://www.adobe.com/support/security/bulletins/apsb10-08.html
February 23, 2010 - "Summary:
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system. Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions in the Solution section below.
Affected software versions:
Adobe Download Manager on Windows (prior to February 23, 2010)
> Solution:
Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions below:
• Ensure that the C:\Program Files\NOS\ folder and its contents ("NOS files") are not present on your system. (If the folder is present, follow the steps below to remove).
• Click "Start" > "Run" and type "services.msc". Ensure that "getPlus(R) Helper" is not present in the list of services.
If the NOS files are found, the Adobe Download Manager issue can be mitigated by:
• Navigating to Start > Control Panel > Add or Remove Programs > Adobe Download Manager, and selecting Remove to remove the Adobe Download Manager from your system.
-OR-
• Clicking "Start" > "Run" and typing "services.msc". Then deleting "getPlus(R) Helper" from the list of services.
• Then delete the C:\Program Files\NOS\ folder and its contents.
This issue is resolved as of February 23, 2010, and no action is required for future downloads of Adobe Reader from http://get.adobe.com/reader/ or Adobe Flash Player from http://get.adobe.com/flashplayer/.
> Severity rating:
Adobe categorizes this as a critical update. Users can remove potentially vulnerable installations of the Adobe Download Manager using the instructions in the Solution section above.
Details:
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system.
The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next computer restart. However, Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine using the instructions in the Solution section above."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0189
Last revised: 03/02/2010
getPlus Download Manager (aka DLM or Downloader) 1.5.2.35...
CVSS v2 Base Score: 10.0 (HIGH)

- http://secunia.com/advisories/38729/
Release Date: 2010-02-24
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Adobe GetPlus DLM 1.x
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-08.html

- http://blog.trendmicro.com/new-adobe-download-manager-bug/
Feb. 24, 2010

- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=856
02.23.10
... DISCLOSURE TIMELINE
06/09/2009 Initial Vendor Notification
06/09/2009 Initial Vendor Reply
02/23/2010 Coordinated Public Disclosure

:fear:

 

[AplusWebMaster]

Adobe Reader and Acrobat updates - 04.13.2010

FYI...

Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb10-09.html
April 8, 2010 - "Adobe is planning to release updates for Adobe Reader 9.3.1 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.1 for Windows and Macintosh, and Adobe Reader 8.2.1 and Acrobat 8.2.1 for Windows and Macintosh to resolve critical security issues. Adobe expects to make these quarterly updates available on April 13, 2010. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt * ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4764
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1241

* http://blogs.adobe.com/psirt/2010/04/pre-notification_-_quarterly_s_2.html
April 8, 2010 - "A Security Advisory has been posted in regards to the upcoming Adobe Reader and Acrobat updates scheduled for April 13, 2010. The updates will address critical security issues in the products. This quarterly security update will be made available for Windows, Macintosh and UNIX. With this quarterly update, we are enabling the new updater first shipped in a passive state with the October quarterly security update. For more information, please refer to the Adobe Reader blog**...."

** http://blogs.adobe.com/adobereader/2010/04/upcoming_adobe_reader_and_acro.html
April 8, 2010

:fear:

 

[AplusWebMaster]

Adobe v9.3.2 Reader/Acrobat released

FYI...

Security update available for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb10-09.html
April 13, 2010 - "... Adobe recommends users of Adobe Reader 9.3.1 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.2. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.2, Adobe has provided the Adobe Reader 8.2.2 update.) Adobe recommends users of Adobe Acrobat 9.3.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.2. Adobe recommends users of Acrobat 8.2.1 and earlier versions for Windows and Macintosh update to Acrobat 8.2.2...
... Users can utilize the product's automatic update feature...
... users on Windows/Macintosh can also find the appropriate update here:
- http://www.adobe.com/support/downloads/new.jsp
... Unix users here:
- http://www.adobe.com/products/reader/unix9/
(download latest update from 9.3.2 folder)

CVE numbers: CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193, CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197, CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202, CVE-2010-0203, CVE-2010-0204, CVE-2010-1241
Platform: All Platforms

- http://secunia.com/advisories/39272/
Release Date: 2010-04-14
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x, Adobe Acrobat 9.x, Adobe Reader 8.x, Adobe Reader 9.x
Solution: Update to version 9.3.2 or 8.2.2.

- http://atlas.arbor.net/briefs/index#-69029221
April 20, 2010 - "Analysis: We have seen exploit code used for some of these bugs, most notably with the Zeus botnet. We encourage all sites to update their Adobe PDF viewers immediately to address these issues."

:fear:

 

[AplusWebMaster]

Adobe Photoshop security update CS4 11.0.1

FYI...

Security issues in Adobe Photoshop CS4 11.0.0
- http://www.adobe.com/support/security/bulletins/apsb10-10.html
April 30, 2010 - "Critical vulnerabilities have been identified in Photoshop CS4 that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system... Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.1 using the instructions below.
To verify the version of Adobe Photoshop CS4 currently installed, choose Help > About Adobe Photoshop CS4 from the Adobe Photoshop menu bar. To check for updates, choose Help > Updates from the Adobe Photoshop menu bar.
Photoshop CS4 customers can also find the Photoshop CS4 11.0.1 update for Windows or Macintosh here:
Adobe Photoshop CS4 11.0.1 update for Windows
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4292
Adobe Photoshop CS4 11.0.1 update for Macintosh
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4291
Note: These issues do not affect Photoshop CS5..."

- http://www.adobe.com/support/downloads/new.jsp

Adobe Photoshop CS4 TIFF File Processing vuln - update available
- http://secunia.com/advisories/39711/
Release Date: 2010-05-03
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to Photoshop CS4 11.0.1.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1279

Adobe Photoshop -CS3- TIFF File Processing Vuln
- http://secunia.com/advisories/39709/
Release Date: 2010-05-05
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: -Unpatched-
Solution: Upgrade to a higher version.

:fear::fear:

 

[AplusWebMaster]

Adobe Shockwave/ColdFusion advisories...

FYI...

Shockwave Player v11.5.7.609 released
- http://www.adobe.com/support/security/bulletins/apsb10-12.html
May 11, 2010 - "... Summary:
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided below.
Affected software versions: Shockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh
Solution: Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions upgrade to the newest version 11.5.7.609, available here:
- http://get.adobe.com/shockwave/
CVE number: CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987, CVE-2010-1280, CVE-2010-1281, CVE-2010-1282, CVE-2010-1283, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292
Platform: Windows and Macintosh

Adobe Shockwave Player Multiple Vulnerabilities
- http://secunia.com/advisories/38751/

Hotfixes available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb10-11.html
May 11, 2010 - "... Summary:
Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
Affected software versions: ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the following link:
- http://kb2.adobe.com/cps/841/cpsid_84102.html
CVE number: CVE-2009-3467, CVE-2010-1293, CVE-2010-1294
Platform: All Platforms ..."

Adobe ColdFusion Cross-Site Scripting and Information Disclosure
- http://secunia.com/advisories/39790/

:fear:

 

[AplusWebMaster]

Photoshop CS4 v11.0.2 - security update

FYI...

Photoshop CS4 v11.0.2 - security update
- http://www.adobe.com/support/security/bulletins/apsb10-13.html
May 26, 2010 - "Critical vulnerabilities have been identified in Photoshop CS4 11.0.1 and earlier for Windows and Macintosh that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system... Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.2, which resolves these issues.
Note: None of these issues affect Photoshop CS5.
To verify the version of Adobe Photoshop CS4 currently installed, choose Help > About Adobe Photoshop CS4 from the Adobe Photoshop menu bar. To check for updates,
choose Help > Updates from the Adobe Photoshop menu bar.
Photoshop CS4 customers can also find the Photoshop CS4 11.0.2 update for Windows or Macintosh here:
* Adobe Photoshop CS4 11.0.2 update for Windows
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4713
* Adobe Photoshop CS4 11.0.2 update for Macintosh
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4712 ..."

- http://secunia.com/advisories/39934/
Release Date: 2010-05-27
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 11.0.2...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
Last revised: 05/27/2010

:fear:

 

[AplusWebMaster]

Adobe Flash/Acrobat/Reader exploits-in-the-wild

FYI...

Adobe Flash/Acrobat/Reader vulns
___

Status update: Adobe vulnerabilities - exploits-in-the-wild ...
- http://www.adobe.com/support/security/advisories/apsa10-01.html
Last updated: June 8, 2010 - "... We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. The patch date for Flash Player 10.x for Solaris is still to be determined.
We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010..."

- http://atlas.arbor.net/briefs/index#-1218073436
Title: Adobe Flash, Reader, and Acrobat 0day authplay Vulnerability
Severity: Extreme Severity
June 09, 2010 - "Analysis: This is an active, critical issue being exploited in the wild. We have multiple sources of these attacks with minimal AV detection. We encourage sites to investigate remediation steps immediately to address this."
Source: http://www.us-cert.gov/cas/techalerts/TA10-159A.html

- http://www.f-secure.com/weblog/archives/00001963.html
June 8, 2010 - "... spam run pushing a PDF exploit... screenshot of the PDF attachment..."

Adobe 0-day used in targeted attacks
- http://community.websense.com/blogs...9/how-the-adobe-0-day-is-used-in-attacks.aspx
9 Jun 2010

- http://www.kb.cert.org/vuls/id/486225
Date Last Updated: 2010-06-09

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297
Last revised: 06/09/2010
CVSS v2 Base Score: 9.3 (HIGH)

Mitigations for Adobe vulnerability: CVE-2010-1297
- http://www.sophos.com/blogs/sophoslabs/?p=9954
June 8, 2010 - "...
1. Renaming authplay.dll: Our testing shows that this workaround, at least for this sample, works successfully (as claimed by Adobe). Acrobat will work normally on regular PDFs, but on exploited files (and potentially others with embedded SWF files), it will crash, but the exploit will fail.
2. Disabling JavaScript: As recommended previously, disabling JavaScript in Acrobat Reader is another workaround for this sample (since it relies on JavaScript to create the shellcode).
3. Alternative PDF reader: The exploit depends upon embedded SWF content, so PDF readers which ignore this ought to be safe..."

- http://www.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat
June 6, 2010 - "We have confirmed the attacks that are exploiting the vulnerability (CVE-2010-1297) Adobe announced on its security advisory* are in the wild. The exploit takes advantage of an unpatched vulnerability in Flash Player, Adobe Reader, and Acrobat, and affects users regardless of whether they use Windows, Macintosh, Solaris, Linux, or UNIX... Attacks can take place in various situations with a few listed below:
• Receiving an email with a malicious PDF attachment.
• Receiving an email with a link to the malicious PDF file or a website with the malicious SWF imbedded in malicious HTML code.
• Stumbling across a malicious PDF or SWF file when surfing the web..."

- http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/
June 5, 2010

- http://blog.trendmicro.com/zero-day-flashacrobat-exploit-seen-in-the-wild/
June 5, 2010

- http://blogs.adobe.com/psirt/2010/06/security_advisory_for_adobe_re.html
June 4, 2010

Adobe Flash Player vuln
- http://secunia.com/advisories/40026/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
NOTE: The vulnerability is reportedly being actively exploited.
Solution: Reportedly, the latest version 10.1 Release Candidate is not affected...
- http://labs.adobe.com/downloads/flashplayer10.html
Reported as a 0-day.
Original Advisory: Adobe:
* http://www.adobe.com/support/security/advisories/apsa10-01.html

Adobe Reader/Acrobat vuln
- http://secunia.com/advisories/40034/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
NOTE: The vulnerability is currently being actively exploited.
Solution: Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files...
Reported as a 0-day.

:fear::fear:

 

[AplusWebMaster]

FYI...

Adobe Flash v 10.1.53.64 released
- http://www.adobe.com/support/security/bulletins/apsb10-14.html
June 10, 2010 - "... Adobe recommends all users of Adobe Flash Player 10.0.45.2 and earlier versions upgrade to the newest version 10.1.53.64* by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted... Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64...
CVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189 ...
* http://www.adobe.com/products/flashplayer/productinfo/instructions/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297
Last revised: 06/25/2010
CVSS v2 Base Score: 9.3 (HIGH)

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Test after install:
- http://www.adobe.com/software/flash/about/

... For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0:
- http://kb2.adobe.com/cps/406/kb406791.html
2010-06-10

- http://atlas.arbor.net/briefs/index#-151014831
Severity: Extreme Severity
... Exploit code is in circulation in the wild. Adobe has released APSB10-14 to address this issue.
Analysis: This is a key update for all Adobe users, and we encourage all sites to update as soon as possible.

- http://securitytracker.com/alerts/2010/Jun/1024085.html
Jun 11 2010

- http://secunia.com/advisories/40026/
Last Update : 2010-06-11
Criticality level: Extremely critical
Impact: Cross Site Scripting, System access
Where: From remote ...
Solution: Update to version 9.0.277.0 or 10.1.53.64.

Adobe AIR v2.0.2.12610
- http://get.adobe.com/air/
... http://secunia.com/advisories/40144/
Release Date: 2010-06-11
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Solution: Upgrade to version 2.0.2.12610...

- http://www.adobe.com/support/security/advisories/apsa10-01.html
Last updated: June 10, 2010 - "... We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010..."

:fear::fear:

 

[AplusWebMaster]

Adobe Reader/Acrobat v9.3.3 released

FYI...

Adobe Reader/Acrobat v9.3.3 released
- http://www.adobe.com/support/security/bulletins/apsb10-15.html
June 29, 2010 - CVE numbers: CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, CVE-2010-2212
Platform: All Platforms
Summary: Critical vulnerabilities have been identified in Adobe Reader/Acrobat 9.3.2... Adobe recommends users of Adobe Reader/Acrobat 9.3.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader/Acrobat 9.3.3. (For Adobe Reader/Acrobat users on Windows and Macintosh, who cannot update to Adobe Reader/Acrobat 9.3.3, Adobe has provided the Adobe Reader/Acrobat 8.2.3 update.)...
Adobe Reader/Acrobat - Users can utilize the product's automatic update feature. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates...

- http://www.adobe.com/support/downloads/new.jsp

- http://secunia.com/advisories/40034/
Last Update: 2010-06-30
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
NOTE: The vulnerability is currently being actively exploited...
Solution: Update to version 9.3.3 or 8.2.3.

- http://securitytracker.com/alerts/2010/Jun/1024159.html
Jun 29 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
Last revised: 07/02/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Acrobat 9.x before 9.3.3, and 8.x before 8.2.3..."
- http://isc.sans.edu/diary.html?storyid=9112
Last Updated: 2010-07-02 02:43:08 UTC

:fear:

 

[AplusWebMaster]

Adobe Reader 0-day, again...

FYI...

Adobe Reader 0-day, again...
- http://www.theregister.co.uk/2010/08/04/critical_adobe_reader_vuln/
4 August 2010 - "... yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files... Brad Arkin, senior director of product security and privacy at Adobe, said members of the company's security team attended Miller's talk and have since confirmed his claims that the vulnerability can lead to remote code execution. The team is in the process of developing a patch and deciding whether to distribute it during Adobe's next scheduled update release or as an “out-of-band” fix that would come out in the next few weeks..."
- http://blogs.adobe.com/adobereader/

- http://secunia.com/advisories/40766/
Last update: 2010-08-06
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
... Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in Adobe Reader versions 8.2.3 and 9.3.3 and Adobe Acrobat version 9.3.3. Other versions may also be affected...

- http://www.adobe.com/support/security/bulletins/apsb10-17.html
August 5, 2010 - "Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862... Adobe expects to make these updates available during the week of August 16, 2010... Note that these updates represent an out-of-band release. Adobe is currently scheduled to release the next quarterly security update for Adobe Reader and Acrobat on October 12, 2010..."
- http://blogs.adobe.com/psirt/2010/0...ity-updates-for-adobe-reader-and-acrobat.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2862
Last revised: 08/06/2010

:fear:

 

[AplusWebMaster]

Flash Player critical update...

FYI...

Adobe Flash Player / Adobe AIR - critical updates
- http://www.adobe.com/support/security/bulletins/apsb10-16.html
August 10, 2010 - "Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.
CVE number: CVE-2010-0209, CVE-2010-2188, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216
Affected software versions:
• Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris
• Adobe AIR 2.0.2.12610 and earlier versions for Windows, Macintosh and Linux...
For users who cannot update to Flash Player 10.1.82.76, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.280, which can be downloaded from here*...
Adobe recommends all users of Adobe AIR 2.0.2.12610 and earlier versions update to the newest version 2.0.3 by downloading it from the Adobe AIR Download Center:
- http://get.adobe.com/air/

* http://kb2.adobe.com/cps/406/kb406791.html

Direct download current version - executable Flash Player installer...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For IE ...
- http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
For Firefox, other browsers, etc...

Flash test site: http://www.adobe.com/software/flash/about/
... should read: "You have version 10,1,82,76 installed"
___

Adobe Flash Media Server - critical update
- http://www.adobe.com/support/security/bulletins/apsb10-19.html
August 10, 2010
CVE number: CVE-2010-2217, CVE-2010-2218, CVE-2010-2219, CVE-2010-2220
Platform: Windows, Linux ...
___

Hotfix available for ColdFusion
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
August 10, 2010
Affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX
Solution: Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote**...
Severity rating: Adobe categorizes this as an important update...
** http://kb2.adobe.com/cps/857/cpsid_85766.html
___

http://www.securitytracker.com/id?1024313 - Flash Player
http://www.securitytracker.com/id?1024315 - Flash Media Server
http://www.securitytracker.com/id?1024314 - ColdFusion
Aug 10 2010

:fear:

 

[AplusWebMaster]

Adobe Reader/Acrobat v9.3.4 released

FYI...

Adobe Reader/Acrobat v9.3.4 released
- http://www.adobe.com/support/security/bulletins/apsb10-17.html
August 19, 2010
CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2862
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
Platform: All Platforms
Summary: Critical vulnerabilities have been identified in Adobe Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.3 (and earlier versions) and Adobe Acrobat 8.2.3 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system... Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update*.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4...
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2010-2862).
These updates further mitigate a social engineering attack that could lead to code execution (CVE-2010-1240)...
Users can utilize the product's update mechanism...
* http://www.adobe.com/support/downloads/new.jsp
___

- http://www.us-cert.gov/cas/techalerts/TA10-231A.html
August 19, 2010 - "... vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file...
Solution:
• Update... Users are encouraged to read Adobe Security Bulletin APSB10-17* and update vulnerable versions of Adobe Reader and Acrobat...
• Disable JavaScript in Adobe Reader and Acrobat ... JavaScript can be disabled using the Preferences menu...
• Disable the display of PDF files in the web browser ... Uncheck the 'Display PDF in browser' checkbox...."
(More detail at the US-CERT URL above.)
* http://www.adobe.com/support/security/bulletins/apsb10-17.html

:fear:

 

[AplusWebMaster]

Shockwave Player v11.5.8.612 released

FYI...

Shockwave Player v11.5.8.612 released
- http://www.adobe.com/support/security/bulletins/apsb10-20.html
August 24, 2010
CVE number: CVE-2010-2863, CVE-2010-2864, CVE-2010-2865, CVE-2010-2866, CVE-2010-2867, CVE-2010-2868, CVE-2010-2869, CVE-2010-2870, CVE-2010-2871, CVE-2010-2872, CVE-2010-2873, CVE-2010-2874, CVE-2010-2875, CVE-2010-2876, CVE-2010-2877, CVE-2010-2878, CVE-2010-2879, CVE-2010-2880, CVE-2010-2881, CVE-2010-2882
Platform: Windows and Macintosh
Summary: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612...
Solution: Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions upgrade to the newest version 11.5.8.612, available here: http://get.adobe.com/shockwave/ ...

:fear::fear:

 

[AplusWebMaster]

0-day Adobe Reader/Acrobat "being actively exploited in the wild"...

FYI...

- http://www.adobe.com/support/security/advisories/apsa10-02.html
September 8, 2010 - "... A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild..."
- http://isc.sans.edu/diary.html?storyid=9523
Last Updated: 2010-09-08 18:03:06 UTC
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2883
Last revised: 09/10/2010 - "... exploited in the wild in September 2010..."
CVSS v2 Base Score: 9.3

Adobe Reader/Acrobat vuln... unpatched
- http://secunia.com/advisories/41340/
Release Date: 2010-09-08
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
...vulnerability is confirmed in versions 8.2.4 and 9.3.4. Other versions may also be affected.
NOTE: The vulnerability is currently being actively exploited.
Solution: Do not open untrusted files.
Provided and/or discovered by: Reported as a 0-day....

- http://www.virustotal.com/file-scan...c703e5a2e26bd98402779f52b6c2e9da2b-1283972909
File name: Golf Clinic.pdf
Submission date: 2010-09-08 19:08:29 (UTC)
Result: 11/43 (25.6%)

(Better)...
- http://www.virustotal.com/file-scan...c703e5a2e26bd98402779f52b6c2e9da2b-1284031469
File name: Golf Clinic.pdf
Submission date: 2010-09-09 11:24:29 (UTC)
Result: 21/43 (48.8%)

:fear::fear:

 

[AplusWebMaster]

0-day Flash vuln "exploit in the wild"...

FYI...

0-day Flash vuln "exploit in the wild"...
- http://www.adobe.com/support/security/advisories/apsa10-03.html
September 13, 2010 - "... A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884*) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010.
We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010..."
- http://isc.sans.edu/diary.html?storyid=9544
Last Updated: 2010-09-14 00:40:35 UTC

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884

- http://secunia.com/advisories/41434/
Release Date: 2010-09-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...

- http://securitytracker.com/alerts/2010/Sep/1024432.html
Sep 14 2010

:fear:

 

[AplusWebMaster]

Flash update 2010.09.20 ...

FYI...

Flash update 2010.09.20 ...
- http://www.adobe.com/support/security/advisories/apsa10-03.html
Last updated: September 17, 2010 - "... We now expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems on Monday September 20, 2010. A fix is now available for Google Chrome users. Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here: http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_17.html (September 17, 2010). We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884
Last revised: 09/18/2010 - "... as exploited in the wild in September 2010..."
CVSS v2 Base Score: 9.3 (HIGH)
- http://xforce.iss.net/xforce/xfdb/61771
September 18, 2010 - High Risk

** http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414
"...You can tell if updates are available if the wrench icon on the browser toolbar has a little orange dot: update notification. To apply the update, just close and restart the browser..."

:fear: