Adobe

Adobe Security

Posted by Dave
Independent Security Specialist
Toymaster Security Lab
Member Microsoft ITAC
Member WhiteHat
toymaster@att.net

************

Current Versions

Adobe Reader - v 11.0.3 or v 10.1.7 or v 9.5.5

Air - v 3.7.0.1860

FlashPlayer - v 11.7.700.202

Shockwave - v 12.0.0.122

Handy Adobe Links –

Adobe Reader

http://get.adobe.com/reader/?promoid=BUIGO

Adobe Flash Player

http://get.adobe.com/flashplayer/?promoid=BUIGP

Adobe Shockwave

http://get.adobe.com/shockwave/

Adobe Air

http://get.adobe.com/air/?promoid=BUIGQ

Adobe Flash Player Updates - as of December 2012, Flash Player updates will coincide with Windows Updates on the second Tuesday of each month

Important Installation Note - Adobe Reader and other Adobe software installations are often 'packaged' by Adobe to include other third-party software offerings such as the McAfee Security Scan or toolbars. Be careful to read the installation screens and uncheck the box(s) for any additional software offerings to avoid installing other software that you will not want or need.

***********************************

05/14/13

Adobe Patch Tuesday

Adobe Security Bulletins Posted

Adobe published the following Security Bulletins today:

#	Affected	CVE	Adobe rating
APSB13-13	ColdFusion	CVE-2013-1387 CVE-2013-1388	Critical
APSB13-14	Flash Player and AIR	CVE-2013-2728 CVE-2013-3324 CVE-2013-3325 CVE-2013-3326 CVE-2013-3327 CVE-2013-3328 CVE-2013-3329 CVE-2013-3330 CVE-2013-3331 CVE-2013-3332 CVE-2013-3333 CVE-2013-3334 CVE-2013-3335	Critical
APSB13-15	Reader and Acrobat	CVE-2013-2549 CVE-2013-2550 CVE-2013-2718 CVE-2013-2719 CVE-2013-2720 CVE-2013-2721 CVE-2013-2722 CVE-2013-2723 CVE-2013-2724 CVE-2013-2725 CVE-2013-2726 CVE-2013-2727 CVE-2013-2729 CVE-2013-2730 CVE-2013-2731 CVE-2013-2732 CVE-2013-2733 CVE-2013-2734 CVE-2013-2735 CVE-2013-2736 CVE-2013-2737 CVE-2013-3337 CVE-2013-3338 CVE-2013-3339 CVE-2013-3340 CVE-2013-3341 CVE-2013-3342	Critical

***************

ColdFusion

(rv:21.0 / rv:17.0.6)Security update: Hotfix available for ColdFusion

Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX. This hotfix addresses a vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.

Adobe is aware of reports that CVE-2013-3336 (referenced in Security Advisory APSA13-03) is being exploited in the wild against ColdFusion customers. Adobe recommends users update their product installation.

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here:

http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page, as well as review the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.

This hotfix resolves a vulnerability that could be exploited by a remote, unauthorized user to run arbitrary code on a system running ColdFusion (CVE-2013-1389).

This hotfix resolves a vulnerability that could permit an unauthorized user to remotely retrieve files stored on the server (CVE-2013-3336).

***************

Security updates available for Adobe Flash Player

[Note from Dave: Comodo picks up install_flashplayer11x32_mssd_aih.exe as a false positive (TrojWare.Win32.Trojan.Agent.Gen) according to VirusTotal]

Adobe has released security updates for Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.280 and earlier versions for Linux, Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.7.700.202.
Users of Adobe Flash Player 11.2.202.280 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.285.
Adobe Flash Player 11.7.700.169 installed with Google Chrome (and version 11.7.700.179 on the Windows platform) will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.7.700.202 for Windows, Macintosh and Linux.
Adobe Flash Player 11.7.700.169 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.7.700.202 for Windows 8.
Users of Adobe Flash Player 11.1.115.54 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.58.
Users of Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.54.
Users of Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.7.0.1860.
Users of Adobe AIR 3.7.0.1660 and earlier versions for Android should update to Adobe AIR 3.7.0.1860.
Users of the Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions should update to the Adobe AIR 3.7.0.1860 SDK & Compiler.

Affected software versions

Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.280 and earlier versions for Linux
Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
Adobe AIR 3.7.0.1660 and earlier versions for Android
Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Adobe recommends users update their software installations by following the instructions below:

Adobe recommends users of Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh update to the newest version 11.7.700.202 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

Adobe recommends users of Adobe Flash Player 11.2.202.280 and earlier versions for Linux update to Adobe Flash Player 11.2.202.285 by downloading it from the Adobe Flash Player Download Center.

For users of Flash Player 10.3.183.75 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 11.7.700.202, Adobe has made available the update Flash Player 10.3.183.86, which can be downloaded here.

For users of Flash Player 10.3.183.75 and earlier versions for Linux, who cannot update to Flash Player 11.2.202.285, Adobe has made available the update Flash Player 10.3.183.86, which can be downloaded here.

Adobe Flash Player 11.7.700.169 installed with Google Chrome (and version 11.7.700.179 on the Windows platform) will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.7.700.202 for Windows, Macintosh and Linux.

Adobe Flash Player 11.7.700.169 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.7.700.202 for Windows 8.

Users of Adobe Flash Player 11.1.115.54 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.58*.
* Note: Applicable only for Android 4.x devices with Flash Player installed prior to August 15, 2012.

Users of Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.54*.
* Note: Applicable only for Android 3.x devices and earlier with Flash Player installed prior to August 15, 2012.

Users of Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.7.0.1860.

Users of the Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions should update to the Adobe AIR 3.7.0.1860 SDK & Compiler.

Users of the Adobe AIR 3.7.0.1660 and earlier versions for Android should update to Adobe AIR 3.7.0.1860 by browsing to Google play or the Amazon Marketplace on an Android device.

***************

Security updates available for Adobe Reader and Acrobat

Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Reader XI (11.0.02) for Windows and Macintosh should update to Adobe Reader XI (11.0.03).
For users of Adobe Reader X (10.1.6) and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.03), Adobe has made available the update Adobe Reader X (10.1.7).
For users of Adobe Reader 9.5.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.03), Adobe has made available the update Adobe Reader 9.5.5.
Users of Adobe Reader 9.5.4 and earlier versions for Linux should update to Adobe Reader 9.5.5.
Users of Adobe Acrobat XI (11.0.02) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.03).
For users of Adobe Acrobat X (10.1.6) and earlier versions for Windows and Macintosh, who cannot update to Adobe Acrobat XI (11.0.03), Adobe has made available the update Adobe Acrobat X (10.1.7).
For users of Adobe Acrobat 9.5.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Acrobat XI (11.0.03), Adobe has made available the update Adobe Acrobat 9.5.5.

Affected software versions

Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

Solution

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader

Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on Linux can find the appropriate update here: ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/.

Adobe Acrobat

Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

05/09/13

Security Advisory for ColdFusion

Release date: May 8, 2013

Vulnerability identifier: APSA13-03

Priority: 1

CVE number: CVE-2013-3336

Platform: All

Adobe has identified a critical vulnerability affecting ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized user to remotely retrieve files stored on the server.

There are reports that an exploit for this vulnerability is publicly available. ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue. Customers who have not already applied these steps can protect themselves from CVE-2013-3336 by implementing the following configuration settings:

Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories by following the hardening guidance in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide

We are in the process of finalizing a fix for this issue and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX to be available on May 14, 2013.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

04/09/13

Adobe Patch Tuesday 04/09/13

Adobe released Security Bulletins and Patches for Cold Fusion, Air, Flash Player and Shockwave on Tuesday, April 9^th

ColdFusion Security Hotfix APSB13-10

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with the vulnerabilities mentioned in the security bulletin APSB13-10. This article provides fixes for the security issues mentioned in the bulletin, along with the installation instructions.

Cold fusion users should follow the installation instructions here

Security Bulletin here -

https://www.adobe.com/support/security/bulletins/apsb13-10.html

***************

Flash Player and Air

Flash Player users need to update to Adobe Flash Player 11.7.700.169

http://get.adobe.com/flashplayer/

Four security vulnerabilities are patched

Adobe Air users need to update to Adobe AIR 3.7

http://get.adobe.com/air/

Adobe has released security updates for Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.275 and earlier versions for Linux, Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.7.700.169.
Users of Adobe Flash Player 11.2.202.275 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.280.
Adobe Flash Player 11.6.602.180 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.7.700.179 for Windows and 11.7.700.169 for Macintosh and Linux.
Adobe Flash Player 11.6.602.180 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.7.700.169 for Windows 8.
Users of Adobe Flash Player 11.1.115.48 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.54.
Users of Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.50.
Users of Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android should update to Adobe AIR 3.7.0.1530.
Users of the Adobe AIR 3.6.0.6090 SDK & Compiler and earlier versions should update to the Adobe AIR 3.7.0.1530 SDK & Compiler.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-2555).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-1378, CVE-2013-1380).

These updates resolve a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution (CVE-2013-1379).

Security Bulletin here -

https://www.adobe.com/support/security/bulletins/apsb13-11.html

***************

Shockwave

Adobe recommends users of Adobe Shockwave Player 12.0.0.112 and earlier versions update to the newest version 12.0.2.122, available here: http://get.adobe.com/shockwave/

Adobe has released a security update for Adobe Shockwave Player 12.0.0.112 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.0.112 and earlier versions update to Adobe Shockwave Player 12.0.2.122.

Four security vulnerabilities are patched

Security Bulletin here -

https://www.adobe.com/support/security/bulletins/apsb13-12.html

***************

Here is a quick synopsis of the bulletins –

Adobe Security Bulletin:

APSB13-10: Security hotfix available for ColdFusion

APSB13-11: Security updates available for Adobe Flash Player

APSB13-12: Security updates available for Shockwave Player

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB13-10: Security hotfix available for ColdFusion

Originally posted: April 9, 2013

Summary:

Adobe has released a security hotfix for ColdFusion 10,

9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX. This

hotfix addresses vulnerabilities that could allow unauthorized

access to a ColdFusion server. Adobe recommends users update

their product installation using the instructions provided in

the "Solution" section of the Security Bulletin.

Priority and Severity Ratings:

Adobe categorizes these updates as priority 2, addressing

important vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB13-11: Security updates available for Adobe Flash Player

Originally posted: April 9, 2013

Summary:

Adobe has released security updates for Adobe Flash Player

11.6.602.180 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.275 and earlier versions for Linux,

Adobe Flash Player 11.1.115.48 and earlier versions for

Android 4.x, and Adobe Flash Player 11.1.111.44 and earlier

versions for Android 3.x and 2.x. These updates address

vulnerabilities that could cause a crash and potentially allow

an attacker to take control of the affected system.

Adobe recommends users update their software installations using

the instructions provided in the "Solution" section of the

Security Bulletin.

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1, addressing critical

vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB13-12: Security updates available for Adobe Shockwave Player

Originally posted: April 9, 2013

Summary:

Adobe has released a security update for Adobe Shockwave Player

12.0.0.112 and earlier versions on the Windows and Macintosh

operating systems. This update addresses vulnerabilities that

could allow an attacker, who successfully exploits these

vulnerabilities, to run malicious code on the affected system.

Adobe recommends users update their software installations using

the instructions provided in the "Solution" section of the

Security Bulletin.

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1, addressing critical

vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

03/12/13

Flash Player and Air Security Updates

Adobe released critical updates for Flash Player and users are advised to update immediately to the newest version 11.6.602.180

Adobe Air updates to v 3.6.0.6090

APSB13-09 tells about the fixes for CVE-2013-0646 (integer overflow), CVE-2013-0650 (use after free), CVE-2013-1371 (memory corruption) and CVE-2013-1375(heap buffer overflow). The updates (4) do not yet patch the vulnerability used by Vupen at the Pwn2own contest in Vancouver, but Adobe indicates that it will be patched as part of the April 9^th update release.

Android 2.x, 3.x, and 4.x users who installed Flash Player before Adobe pulled the plug-in from distribution must jump through hoops to update the software. For details, check out this post.

To reflect these updates, Google Chrome has updated to v 25.0.1364.172

APSB13-09: Security updates available for Adobe Flash Player

Originally posted: March 12, 2013

Summary:

Adobe has released security updates for Adobe Flash Player

11.6.602.171 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.273 and earlier versions for Linux,

Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x,

and Adobe Flash Player 11.1.111.43 and earlier versions for

Android 3.x and 2.x. These updates address vulnerabilities

that could cause a crash and potentially allow an attacker to

take control of the affected system.

Adobe recommends users update their product installations to

the latest version.

Learn more: http://click.mail.adobesystems.com/?qs=72aa226cac87c5adf7129fb98fe8772cffa02529fe0b915103ff825247783439a83dc2ee5a042208

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1, addressing

critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=72aa226cac87c5ad101505ecab1edc53e5a07aa9bde73895282fbdd7edd03a62075e1f197f475e72

Adobe recommends users of Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh update to the newest version 11.6.602.180 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

Adobe recommends users of Adobe Flash Player 11.2.202.273 and earlier versions for Linux update to Adobe Flash Player 11.2.202.275 by downloading it from the Adobe Flash Player Download Center.
For users of Flash Player 10.3.183.67 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 11.6.602.180, Adobe has made available the update Flash Player 10.3.183.68, which can be downloaded here.
For users of Flash Player 10.3.183.67 and earlier versions for Linux, who cannot update to Flash Player 11.2.202.275, Adobe has made available the update Flash Player 10.3.183.68, which can be downloaded here.
Adobe Flash Player 11.6.602.171 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.180 for Windows, Macintosh and Linux.
Adobe Flash Player 11.6.602.171 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.180 for Windows.

Users of Adobe Flash Player 11.1.115.47 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.48*.
* Note: Applicable only for Android 4.x devices with Flash Player installed prior to August 15, 2012.
Users of Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.44*.
* Note: Applicable only for Android 3.x devices and earlier with Flash Player installed prior to August 15, 2012.

Users of Adobe AIR 3.6.0.597 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.6.0.6090.
Users of the Adobe AIR 3.6.0.597 SDK and earlier versions for Windows and Macintosh should update to the Adobe AIR 3.6.0.6090 SDK.
Users of the Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions should update to the Adobe AIR 3.6.0.6090 SDK & Compiler.
Users of the Adobe AIR 3.6.0.597 and earlier versions for Android should update to Adobe AIR 3.6.0.6090 by browsing to Google play or the Amazon Marketplace on an Android device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

02/26/13

Adobe releases Critical Flash Player Updates

APSB13-08: Security updates available for Adobe Flash Player

Originally posted: February 26, 2013

Adobe has released security updates for Adobe Flash Player 11.6.602.168 and earlier versions for Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.270 and earlier versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.
Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.

Adobe recommends users update their software installations by following the instructions below:

Adobe recommends users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, update to the newest version 11.6.602.171 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows, and users of Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.
For users of Flash Player 10.3.183.63 and earlier versions for Windows and Flash Player 10.3.183.61 and earlier versions for Macintosh, who cannot update to Flash Player 11.6.602.171, Adobe has made available the update Flash Player 10.3.183.67, which can be downloaded here.
Adobe recommends users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux update to Adobe Flash Player 11.2.202.273 by downloading it from the Adobe Flash Player Download Center.
For users of Flash Player 10.3.183.61 and earlier versions for Linux, who cannot update to Flash Player 11.2.202.273, Adobe has made available the update Flash Player 10.3.183.67, which can be downloaded here.
Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.6.602.171 for Windows.

http://get.adobe.com/flashplayer/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

02/20/13

Adobe Reader updated

Adobe Reader Updates released

Adobe Reader 9 updates to v 9.5.4

Adobe Reader 10 updates to v 10.1.6

Adobe Reader 11 updates to v 11.0.2

Adobe Advisory APSA13.02 –

http://www.adobe.com/support/security/advisories/apsa13-02.html

From the Adobe Advisory -

Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier for Linux. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

02/12/13

Adobe Flash, Air, and Shockwave Updated, 0-day for Reader & Acrobat unpatched

Adobe recommends users of Adobe Flash Player 11.5.502.149 and earlier versions for Windows update to the newest version 11.6.602.168 - yes I know, we just updated 5 days ago, but do it again.

Adobe recommends users of Adobe AIR 3.5.0.1060 and earlier versions should update to Adobe AIR 3.6.0.5970

Adobe recommends users of Adobe Shockwave Player 11.6.8.638 and earlier versions update to Adobe Shockwave Player 12.0.0.112

Both updates address multiple CVE vulnerabilities and are covered in detail in Adobe Security Bulletins.

Adobe Security Bulletin APSB13-05 covers Flash Player and Air

http://www.adobe.com/support/security/bulletins/apsb13-05.html

Adobe Security Bulletin APSB12-06 covers Shockwave

http://www.adobe.com/support/security/bulletins/apsb13-06.html

So, to review Adobe bulletins for February –

APSB13-04: Security update available for Adobe Flash Player

Originally posted: February 7, 2013

(This was the emergency 0-day patches released by Adobe that we patched last week. Technical details of the 0-day discovered by FireEye are posted here - http://blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+FE_research+%28FireEye+Malware+Intelligence+Lab%29)

Summary:

Adobe has released security updates for Adobe Flash Player

11.5.502.146 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.261 and earlier versions for

Linux, Adobe Flash Player 11.1.115.36 and earlier versions

for Android 4.x, and Adobe Flash Player 11.1.111.31 and

earlier versions for Android 3.x and 2.x. These updates

address vulnerabilities that could cause a crash and

potentially allow an attacker to take control of the

affected system.

Adobe recommends users update their product installations to

the latest version.

http://www.adobe.com/support/security/bulletins/apsb13-04.html

***************

APSB13-05: Security update available for Adobe Flash Player

Originally posted: February 12, 2013

Summary:

Adobe has released security updates for Adobe Flash Player

11.5.502.149 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.262 and earlier versions for

Linux, Adobe Flash Player 11.1.115.37 and earlier versions

for Android 4.x, and Adobe Flash Player 11.1.111.32 and

earlier versions for Android 3.x and 2.x. These updates

address vulnerabilities that could cause a crash and

potentially allow an attacker to take control of the affected

system.

Adobe recommends users update their product installations to

the latest version.

http://www.adobe.com/support/security/bulletins/apsb13-05.html

***************

APSB13-06: Security update available for Adobe Shockwave Player

Originally posted: February 12, 2013

Summary:

Adobe has released a security update for Adobe Shockwave Player

11.6.8.638 and earlier versions on the Windows and Macintosh

operating systems. This update addresses vulnerabilities that

could allow an attacker, who successfully exploits these

vulnerabilities, to run malicious code on the affected system.

Adobe recommends users of Adobe Shockwave Player 11.6.8.638

and earlier versions update to Adobe Shockwave Player

12.0.0.112.

http://www.adobe.com/support/security/bulletins/apsb13-06.html

Adobe Reader and Acrobat 0-day vulnerabilities

Adobe, on the PSIRT blog, posted that “Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information.”

That’s it – no detailed information of any kind, but I believe an update is on the horizon, and I will keep you posted.

The information comes to Adobe by way of FireEye Malware Intelligence Lab – this is their posting:

http://feedproxy.google.com/~r/FE_research/~3/rFigWGCryps/in-turn-its-pdf-time.html

And Finally, Adobe has posted

a full Security Advisory (APSA13-02) on this issue, available here –

https://www.adobe.com/support/security/advisories/apsa13-02.html and suggests mitigation by running Adobe Reader v 11 and turning on Protected View.

Alternate PDF Readers –

If you are rightly concerned because you use PDF files a lot, I can recommend some alternatives that you might want to try until adobe gets this sorted out, and who knows, you might just like them a lot more -

Windows users – try Sumatra http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html

Mac OS X users – try Skim http://skim-app.sourceforge.net/

Linux users – try Okular or Evince http://okular.kde.org/ or http://projects.gnome.org/evince/

I do not recommend the Mozplugger plug-in for Firefox.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

02/07/13

Flash Player critical advisory and updates released

Remember me telling you that Adobe was now planning Flash Player releases to coincide with Microsoft Tuesday? Well, this one is early, but quite critical - it patches two 0-day vulnerabilities, so best get patched up immediately. Please note that it also affects Mac, Linux and even Android based devices as well.

http://www.adobe.com/support/security/bulletins/apsb13-04.html

Security updates available for Adobe Flash Player

Release date: February 7, 2013

Vulnerability identifier: APSB13-04

Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149.
Users of Adobe Flash Player 11.2.202.261 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.262.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.3.379.14 for Windows.
Users of Adobe Flash Player 11.1.115.36 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.37.
Users of Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.32.

Affected software versions

Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.261 and earlier versions for Linux
Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

Adobe recommends users of Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh update to the newest version 11.5.502.149 by downloading it from the Adobe Flash Player Download Center. Users of Flash Player 11.2.x or later for Windows and users of Flash Player 11.3.x for Macintosh who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

For users of Flash Player 10.3.183.50 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 11.5.502.149, Adobe has made available the update Flash Player 10.3.183.51, which can be downloaded here.

Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Week ending 01/19/13

Adobe ColdFusion Hotfix

From the Adobe bulletin - http://www.adobe.com/support/security/bulletins/apsb13-03.html

Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX. This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.

Adobe is aware of reports that four vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632, referenced in Security Advisory APSA13-01) are being exploited in the wild against ColdFusion customers. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html.

This hotfix resolves an authentication bypass vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0625).

This hotfix resolves a directory traversal vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could permit an unauthorized user access to restricted directories (CVE-2013-0629).

This hotfix resolves a vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in information disclosure from a compromised server (CVE-2013-0631).

This hotfix resolves an authentication bypass vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0632).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

01/08/13

Adobe Tuesday

Adobe has released updates for Flash Player, Air and Adobe Reader in order to address critical vulnerabilities. This will naturally lead to a new version of Chrome browser as it is baked into the browser by Google (Windows users will need to be sure they are running Chrome v 23.0.1271.97). The Flash Player update addresses one CVE while the Adobe Reader and Acrobat updates address 26 CVE’s. Adobe rates these updates as critical and suggests they be installed as soon as possible.

Flash Player and Air

Adobe has released security updates for Adobe Flash Player 11.5.502.135 and earlier versions for Windows, Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.258 and earlier versions for Linux, Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x. These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.5.502.135 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.146.
Users of Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.146.
Users of Adobe Flash Player 11.2.202.258 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.261.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.137 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.378.5 for Windows.
Users of Adobe Flash Player 11.1.115.34 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.36.
Users of Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.31.
Users of Adobe AIR 3.5.0.880 and earlier versions for Windows should update to Adobe AIR 3.5.0.1060.
Users of Adobe AIR 3.5.0.890 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.1060.
Users of the Adobe AIR SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.1060 SDK.

Adobe security bulletin APSB13-01 is here –

http://www.adobe.com/support/security/bulletins/apsb13-01.html

Adobe Reader and Acrobat

Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Reader XI (11.0.0) for Windows and Macintosh should update to Adobe Reader XI (11.0.1).
For users of Adobe Reader X (10.1.4) and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader X (10.1.5).
For users of Adobe Reader 9.5.2 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.1), Adobe has made available the update Adobe Reader 9.5.3.
Users of Adobe Reader 9.5.1 and earlier versions for Linux should update to Adobe Reader 9.5.3.
Users of Adobe Acrobat XI (11.0.0) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.1).
Users of Adobe Acrobat X (10.1.4) and earlier versions for Windows and Macintosh should update to Adobe Acrobat X (10.1.5).
Users of Adobe Acrobat 9.5.2 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.3

The Adobe security bulletin APSB13-02 is here –

http://www.adobe.com/support/security/bulletins/apsb13-02.html

***************

Cold Fusion

Cold Fusion users should remember that hackers are exploiting several unpatched flaws in its ColdFusion application server software. The vulnerabilities affect ColdFusion versions 10, 9.0.2, 9.0.1, and 9.0. One of the flaws can be exploited to take control of vulnerable servers; another can be exploited to access restricted directories; and the third can be exploited to allow information disclosure. Adobe says it is working on patches for the flaws and expects to have them ready for release on January 15; in the mean time, the company has offered suggestions for protecting their machines from attacks through the flaws.

https://isc.sans.edu/diary/Adobe+ColdFusion+Security+Advisory/14827

http://www.computerworld.com/s/article/9235358/Adobe_warns_of_actively_exploited_ColdFusion_flaws?taxonomyId=17

http://www.adobe.com/support/security/advisories/apsa13-01.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Week ending 01/05/12

Adobe critical updates pre-notification

Adobe is planning critical updates releases this coming Tuesday, 12/08/13 to address security vulnerabilities in Adobe Reader and Acrobat. The pre-notification bulletin is here - http://www.adobe.com/support/security/bulletins/apsb13-02.html

Affected software versions

Adobe Reader XI (11.0.0) for Windows and Macintosh
Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
Adobe Reader 9.5.1 and earlier 9.x versions for Linux
Adobe Acrobat XI (11.0.0) for Windows and Macintosh
Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

Priority and Severity ratings

Adobe will be assigning the following priority ratings to these updates:

Product	Updated Version	Platform	Priority Rating
Adobe Reader	XI (11.0.0)	Windows and Macintosh	2
	X (10.1.4) and earlier 10.x versions	Windows and Macintosh	2
	9.5.2 and earlier 9.x versions	Windows	1
	9.5.2 and earlier 9.x versions	Macintosh	2
	9.5.1 and earlier 9.x versions	Linux	2
Adobe Acrobat	XI (11.0.0)	Windows and Macintosh	2
	X (10.1.4) and earlier 10.x versions	Windows and Macintosh	2
	9.5.2 and earlier 9.x versions	Windows	1
	9.5.2 and earlier 9.x versions	Macintosh	2

These updates will address critical vulnerabilities in the software.

============================================================

Adobe ColdFusion Security Advisory

Adobe released a security advisory which identifies three vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631) affecting ColdFusion for Windows, Macintosh and Unix. They have received reports that these vulnerabilities are actively being exploited. Adobe is currently planning to release a fix for January 15, 2013.

http://www.adobe.com/support/security/advisories/apsa13-01.html

Adobe recommends ColdFusion customers take the following steps to mitigate these vulnerabilities:

Configure a username and password for Remote Development Services (RDS). These credentials should be different from the Administrator account. After configuring the username and password, users should disable RDS.
Disable external access to the following directories for all hosted sites:
- /CFIDE/administrator
- /CFIDE/adminapi
- /CFIDE/componentutils
Remove any unknown or unnecessary ColdFusion components or templates from the CFIDE or webroot directories.
Implement access control restrictions for the Administrator interface and internal applications via the Administrator Console (in ColdFusion version 10) or within your web server's access control mechanisms for versions 9.0.2 and below.
Ensure your ColdFusion product has the latest hotfix applied.
Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

12/11/10

Adobe releases updates for Flash Player & Air

Remember there are Flash Player updates for both Active X (IE) and Plug-In (Firefox etc.) browser versions, and this also resulted in a new release of Google Chrome browser (v 23.0.1271.97) as Flash Player is built into the browser.

From the Flash Player bulletin –

Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
Users of Adobe Flash Player 11.2.202.251 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.258.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.5 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.377.15.
Users of Adobe Flash Player 11.1.115.27 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.34.
Users of Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.29.
Users of Adobe AIR 3.5.0.600 and earlier versions for Windows should update to Adobe AIR 3.5.0.880.
Users of Adobe AIR 3.5.0.600 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.890.
Users of the Adobe AIR 3.5.0.600 SDK (includes AIR for iOS) should update to the Adobe AIR 3.5.0.880 SDK (Windows) or Adobe AIR 3.5.0.890 SDK (Mac)

The complete bulletin is here –

http://www.adobe.com/support/security/bulletins/apsb12-27.html

***************

Hotfix available for ColdFusion 10 and earlier

Adobe has released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. This hotfix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment. Adobe recommends users update their product installation using the instructions provided in the "Solution" section below.

Affected software versions

ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX

Solution

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-26.html .

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11/06/12

Critical updates for Adobe Flash Player and Adobe Air

Adobe has announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule.

The full security bulletin is available here –

http://www.adobe.com/support/security/bulletins/apsb12-24.html

Adobe Security Bulletin:

- APSB12-24: Security updates available for Adobe Flash

Player

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-24: Security updates available for Adobe Flash Player

Originally posted: November 6, 2012

Summary:

Adobe has released security updates for Adobe Flash Player

11.4.402.287 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.243 and earlier versions for

Linux, Adobe Flash Player 11.1.115.20 and earlier versions

for Android 4.x, and Adobe Flash Player 11.1.111.19 and

earlier versions for Android 3.x and 2.x. These updates

address vulnerabilities that could cause a crash and

potentially allow an attacker to take control of the

affected system.

- Adobe recommends users update their product installations

to the latest versions:

- Users of Adobe Flash Player 11.4.402.287 and earlier

versions for Windows and Macintosh should update to Adobe

Flash Player 11.5.502.110.

- Users of Adobe Flash Player 11.2.202.243 and earlier

versions for Linux should update to Adobe Flash Player

11.2.202.251.

- Flash Player installed with Google Chrome will automatically

be updated to the latest Google Chrome version, which will

include Adobe Flash Player 11.5.31.2 for Windows, Macintosh

and Linux.

- Flash Player installed with Internet Explorer 10 will

automatically be updated to the latest Internet Explorer

10 version, which will include Adobe Flash Player 11.3.376.12

for Windows.

- Users of Adobe Flash Player 11.1.115.20 and earlier versions

on Android 4.x devices should update to Adobe Flash Player

11.1.115.27.

- Users of Adobe Flash Player 11.1.111.19 and earlier

versions for Android 3.x and earlier versions should update

to Flash Player 11.1.111.24.

- Users of Adobe AIR 3.4.0.2710 and earlier versions for

Windows and Macintosh, SDK (including AIR for iOS) and Android

should update to Adobe AIR 3.5.0.600.

Learn more: http://click.mail.adobesystems.com/?qs=b24c18410ca3aedd6fa46621cc027d7e323a1c7722248f678b4f64998a2ae9cecf1e1a7393178a65

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1 for Windows,

addressing critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=b24c18410ca3aedd4e4c88a4d46fea4fc8523626575a55b672f2f1affc058257622faae895fbaaa3

********************

0-day Exploit for Adobe Reader?

Adobe indicates it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of Adobe Reader software are being sold in the cybercriminal underground. Moscow-based forensics firm Group-IB said they have discovered a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000.

So far the attack has only been seen effective against Adobe Reader running on Windows based machines. Group-1B also says this vulnerability is included in the latest customized versions of the Blackhole Exploit Kit, a pervasive crimeware kit also being sold on the underground. The exploit is being sold on the black market for an estimated US$30,000 to $50,000 and currently it's being used in targeted attacks against bank customers. The new exploit works even if JavaScript support is disabled in Adobe Reader, and can be used to target Adobe Reader through Internet Explorer and Mozilla Firefox. However, the attack fails in Google Chrome because Chrome provides additional protection for the Adobe Reader component.

The significance is this is the first known documentation of a vulnerability and attack method that would allow an attacker to go around or avoid the sandbox included in Adobe Reader X and XI, but as I have told you in the past, sandboxes can indeed be bypassed. The exploit is somewhat limited because the user needs to close the browser after loading the malicious PDF file in order for the malicious code to be executed on the computer. Group-IB also posted a video on YouTube demonstrating how the attack works in Internet Explorer.

Adobe indicates they are researching and investigating these claims, but no hard evidence or samples of the vulnerability or exploit (POC code) have yet been captured or made available to Adobe.

If this is actually available in an underground circle &/or exploit kit, I am afraid we will all know all too soon how true this all is and how effective the exploit really is. This might also be a good time to consider one of the alternative PDF readers I have told you about in the past. Personally, I have used nothing but Sumatra and Cool PDF for a PDF reader for some years now and I can definitely say that I don’t miss Adobe Reader at all.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10/23/12

Adobe Security Bulletins:

- APSB12-22: Security updates available for Adobe Flash

Player - Critical

- APSB12-23: Security update available for Adobe Shockwave

Player - Important

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-22: Security updates available for Adobe Flash Player - Critical

Originally posted: October 8, 2012

Summary:

Adobe has released security updates for Adobe Flash Player

11.4.402.278 and earlier versions for Windows, Adobe Flash

Player 11.4.402.265 and earlier versions for Macintosh,

Adobe Flash Player 11.2.202.238 and earlier for versions for

Linux, Adobe Flash Player 11.1.115.17 and earlier versions

for Android 4.x, and Adobe Flash Player 11.1.111.16 and

earlier versions for Android 3.x and 2.x. These updates

address vulnerabilities that could cause a crash and

potentially allow an attacker to take control of the

affected system.

Adobe recommends users update their product installations

to the latest versions:

- Users of Adobe Flash Player 11.4.402.278 and earlier

versions for Windows and Adobe Flash Player 11.4.402.265

and earlier versions for Macintosh should update to Adobe

Flash Player 11.4.402.287.

- Users of Adobe Flash Player 11.2.202.238 and earlier

versions for Linux should update to Adobe Flash Player

11.2.202.243.

- Flash Player installed with Google Chrome will

automatically be updated to the latest Google Chrome

version, which will include Adobe Flash Player 11.4.31.110

for Windows and Linux, and Flash Player 11.4.402.287 for

Macintosh.

- Flash Player installed with Internet Explorer 10 will

automatically be updated to the latest Internet Explorer 10

version, which will include Adobe Flash Player 11.3.375.10

for Windows.

- Users of Adobe Flash Player 11.1.115.17 and earlier

versions on Android 4.x devices should update to Adobe Flash

Player 11.1.115.20.

- Users of Adobe Flash Player 11.1.111.16 and earlier

versions for Android 3.x and earlier versions should update

to Flash Player 11.1.111.19.

- Users of Adobe AIR 3.4.0.2540 for Windows and Macintosh

should update to Adobe AIR 3.4.0.2710.

- Users of the Adobe AIR 3.4.0.2540 SDK (includes AIR for

iOS) should update to the Adobe AIR 3.4.0.2710 SDK.

- Users of the Adobe AIR 3.4.0.2540 and earlier versions

for Android should update to the Adobe AIR 3.4.0.2710.

Learn more:

http://click.mail.adobesystems.com/?qs=d5bfb91fa3d764130c99cc72142d369cea1744fce2cc0dd7608831c29ce7e052eaf8e51f01348719

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1 for Windows,

addressing critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=d5bfb91fa3d764133ae8e7a67a992dab246dba73a3d27e27ae7a36bde0ad67509afc87dc89b2b275

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-23: Security update available for Adobe Shockwave

Player - Important

Originally posted: October 23, 2012

Summary:

Adobe has released an update for Adobe Shockwave Player

11.6.7.637 and earlier versions on the Windows and Macintosh

operating systems.  This update addresses vulnerabilities

that could allow an attacker, who successfully exploits these

vulnerabilities, to run malicious code on the affected system.

Adobe recommends users of Adobe Shockwave Player 11.6.7.637

and earlier versions update to the newest version 11.6.8.638

using the instructions provided in the Security Bulletin.

Learn more:

http://click.mail.adobesystems.com/?qs=d5bfb91fa3d764136c9d3d49860127fe20a6df7a74f7c27cff9ecd2a49ccd00560ab62fbbd792ee1

Priority and Severity Ratings:

Adobe categorizes this update as priority 2, addressing

an important vulnerability:

http://click.mail.adobesystems.com/?qs=d5bfb91fa3d764133ae8e7a67a992dab246dba73a3d27e27ae7a36bde0ad67509afc87dc89b2b275

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10/16/12

Adobe Reader

Adobe Reader XI has been released, has a host of new ‘security features’, and Adobe has a blog here –

http://blogs.adobe.com/adobereader/

From the blog –

Adobe Reader XI is now available! Download Reader XI today at http://get.adobe.com/reader. With over one billion downloads, Adobe Reader continues its leadership as the global standard in PDF viewing and interaction.

Adobe Reader XI provides full commenting capabilities, including text, stamps, file attachments and audio recordings, as well as drawing markups, like lines, arrows, shapes and free-form annotations. Do you have a PDF form that needs attention? Well, Reader is now able to fill, sign, save and send your forms without requiring printing and mailing. And, of course, you can do this on the most recent and popular operating systems, OS X Mountain Lion and Windows 8, which includes our new “touch-mode” for an optimal tablet experience.

Security -

We really moved the needle with Protected Mode in Adobe Reader X. Now, we’ve enhanced Protected Mode in Adobe Reader XI to include data theft prevention capabilities. We’ve even added a new Protected View, which implements a separate desktop and winstation for the UI, providing an additional layer of defense. For high-risk environments, we’ve added the PDF Whitelisting Framework, which allows the selective enablement of JavaScript for both Windows and Mac OS, including support for certified documents. And, in the area of content security, we’ve expanded our support to elliptic curve cryptography.

Adobe Reader downloads for home users are here –

http://get.adobe.com/reader/

Remember to uncheck the box just above ‘Download now’ or you will also get McAfee Security Scan Plus bundled with your download

Additional information here - http://www.adobe.com/products/reader.html

As for the reader itself, the download is a hefty 134 MB in size as a Zip file, so it’s not exactly what I would call lightweight and speedy. I will let you know what I think when I get finished with testing this monster.

Important –

Note that Adobe Reader 11 installation will remove prior versions of Adobe Reader. Earlier versions will still have folders on your hard drive in the Program Files | Adobe folder, but do not remove these as they will contain what is still in use by Adobe Reader 11
JavaScript is enabled by default – I recommend you uncheck the box to disable it
Trust Manager allows opening of non-PDF files and attachments with external applications enabled by default – I recommend you uncheck the box to disable this function
After installation, you will have to accept the Adobe Reader 11 license, and it will ask if you want to import certificates from your older version installation – answer yes to this so you won’t have to manually install them again later
There are no new versions released for Adobe Reader 9 or 10

As a side bar, Adobe Acrobat XI has also been released. Information here –

http://www.adobe.com/products/acrobat/pdf-solutions-for-work.html?trackingid=KAVMI

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10/08/12

Critical Flash Player and Air update

Adobe has released security updates for Adobe Flash Player 11.4.402.278 and earlier versions for Windows, Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.238 and earlier for versions for Linux, Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The fixes cover 25 separate vulnerability disclosures.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.4.402.278 and earlier versions for Windows and Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh should update to Adobe Flash Player 11.4.402.287.
Users of Adobe Flash Player 11.2.202.238 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.243.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.4.31.110 for Windows and Linux, and Flash Player 11.4.402.287 for Macintosh.
Users of Adobe Flash Player 11.1.115.17 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.20.
Users of Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.19.
Users of Adobe AIR 3.4.0.2540 for Windows and Macintosh should update to Adobe AIR 3.4.0.2710.
Users of the Adobe AIR 3.4.0.2540 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2710 SDK.
Users of the Adobe AIR 3.4.0.2540 and earlier versions for Android should update to the Adobe AIR 3.4.0.2710.

Adobe security bulletin is here –

http://www.adobe.com/support/security/bulletins/apsb12-22.html

Also, Microsoft has released Flash Player updates for Windows 8 – 64 bit

http://www.microsoft.com/en-us/download/details.aspx?id=34813

and x86 32-bit

http://www.microsoft.com/en-us/download/details.aspx?id=34815

A post on the Google Chrome Releases blog announced the release to the Stable channel of Chrome 22.0.1229.92, which includes the necessary Flash Player security fixes.

The bulletin also includes details on Flash updates for Linux and Android-based devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Week ending 09/29/12

Adobe Hacked

Adobe has warned that an internal server with access to its digital certificate code signing infrastructure was hacked by "sophisticated threat actors" engaged in "highly targeted attacks."

The server compromise in early July led to the creation of at least two malicious files that were digitally signed using a valid Adobe certificate. Although only two files were signed, the hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software.

Adobe security chief Brad Arkin said one of the two digitally signed malware files is a utility that extracts password hashes from the Windows operating system. "The first malicious utility we received is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll. The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter."

Adobe has not provided details on the nature of the breach other than it affected a "build server" with access to the code signing infrastructure. Arkin said the compromised machine's configuration was "not to Adobe corporate standards for a build server."

Adobe plans to revoke the certificates on October 4^th according to a security advisory posted on 9/27 here –

http://www.adobe.com/support/security/advisories/apsa12-01.html which indicates “Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.”

**********

If you believe that this may impact your environment in any way, I suggest you use this link –

http://helpx.adobe.com/x-productkb/global/certificate-updates.html#main-pars_header_1

This page discusses the updated security certificates and what needs to be done based on what Adobe software you use and when it was downloaded and installed. I suggest you take a look just to be safe.

This is the Adobe statement from Brad Arkin –

We have identified a compromised build server that required access to the code signing service as part of the build process. Although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process. We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service.

Our forensic investigation is ongoing. To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.

The build server used a dedicated account to access source code required for the build. This account had access to only one product. The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR. We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account. There is no evidence to date that any source code was stolen.

============================================================

New betas released to Adobe Labs

Adobe has released the latest betas of Adobe Air and Adobe Flash Player to Adobe Labs for download

http://blogs.adobe.com/labs/archives/2012/09/flash-player-11-5-and-air-3-5-available-for-download.html

Adobe Air 3.5 beta –

http://labs.adobe.com/technologies/flashplatformruntimes/air3-5/

Adobe Flash Player 11.5 beta –

http://labs.adobe.com/technologies/flashplatformruntimes/flashplayer11-5/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

09/20/12

Flash Player Updated

Updated debugger and standalone versions of Flash Player are available. These players contain fixes for critical vulnerabilities identified in Security Bulletin APSB12-19. The latest versions are 11.4.402.278 (Win), 11.4.402.265 (Mac) and 11.2.202.238 (Linux). All users are encouraged to update to these latest versions. Adobe has not released a security bulletin or any other details.

======================================================

09/11/12

Adobe Security Bulletins – Flash Player, Air, Photoshop CS6, Cold Fusion

Adobe Security Bulletins:

- APSB12-19: Security updates available for Adobe Flash

Player

- APSB12-20: Security update available for Adobe Photoshop

CS6

- APSB12-21: Security update: Hotfix available for

ColdFusion 10 and earlier

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-19: Security updates available for Adobe Flash Player

Originally posted: August 21, 2012

Summary:

Adobe has released security updates for Adobe Flash Player

11.3.300.271 and earlier versions for Windows and Macintosh,

Adobe Flash Player 11.2.202.236 and earlier versions for

Linux, Adobe Flash Player 11.1.115.11 and earlier versions

for Android 4.x, and Adobe Flash Player 11.1.111.10 and

earlier versions for Android 3.x and 2.x. These updates

address vulnerabilities that could cause a crash and

potentially allow an attacker to take control of the

affected system.

Adobe recommends users update their product installations to

the latest versions:

- Users of Adobe Flash Player 11.3.300.271 and earlier

versions for Windows and Macintosh should update to Adobe

Flash Player 11.4.402.265.

- Users of Adobe Flash Player 11.2.202.236 and earlier

versions for Linux should update to Adobe Flash Player

11.2.202.238.

- Flash Player installed with Google Chrome will

automatically be updated to the latest Google Chrome version,

which will include Adobe Flash Player 11.3.31.230 for Windows

and Linux, and Flash Player 11.4.402.265 for Macintosh.

- Users of Adobe Flash Player 11.1.115.11 and earlier

versions on Android 4.x devices should update to Adobe Flash

Player 11.1.115.17.

- Users of Adobe Flash Player 11.1.111.10 and earlier

versions for Android 3.x and earlier versions should update

to Flash Player 11.1.111.16.

- Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh

should update to Adobe AIR 3.4.0.2540.

- Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for

iOS) should update to the Adobe AIR 3.4.0.2540 SDK.

- Users of the Adobe AIR 3.3.0.3650 and earlier versions

for Android should update to the Adobe AIR 3.4.0.2540.

Learn more: http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc0837cc756615bb39eb613d0b95e3e29120c912d0984cb96c6daae268e819b1c315

Priority and Severity Ratings:

Adobe categorizes these updates as priority 1 for Windows,

addressing critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc08c5b44dd6f4d20e6d9644e8db0dbc7afa2c5c557f5019787d47fabada9ea92af8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-20: Security update available for Adobe Photoshop CS6

Originally posted: August 30, 2012

Summary:

Adobe has released a security update for Adobe Photoshop CS6

(13.0) for Windows and Macintosh. This update addresses

vulnerabilities that could allow an attacker who

successfully exploits these vulnerabilities to take control

of the affected system.

Note that Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop

CS5 (12.0.5) and earlier versions for Windows and Macintosh

are not affected by these vulnerabilities. No update is

required for users of Adobe Photoshop CS5.1 (12.1.1) and

Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows

and Macintosh.

Learn more: http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc0824c820dd835db2997d728637dd7910a2b06fa79bda4b7324b7418b6c4b5e4a19

Priority and Severity Ratings:

Adobe categorizes this update as priority 3, addressing

important vulnerabilities:

http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc08c5b44dd6f4d20e6d9644e8db0dbc7afa2c5c557f5019787d47fabada9ea92af8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-21: Security update: Hotfix available for ColdFusion

10 and earlier

Originally posted: September 11, 2012

Summary:

Adobe released a security hotfix for ColdFusion 10 and

earlier versions for Windows, Macintosh and UNIX.  This

update resolves a vulnerability which could result in a

Denial of Service condition.  Adobe recommends users update

their product installation using the instructions provided

in the "Solution" section of the Security Bulletin.

Learn more: http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc08bf6a14915cafa8fd94a0c560158db714e44324d166c7e6197aaf705a532e645e

Priority and Severity Ratings:

Adobe categorizes this update as priority 2, addressing

an important vulnerability:

http://click.mail.adobesystems.com/?qs=f8e2b7a79a9cdc08c5b44dd6f4d20e6d9644e8db0dbc7afa2c5c557f5019787d47fabada9ea92af8

======================================================

08/31/12

Adobe Photoshop CS6 advisory

Adobe has released an update for Photoshop CS6 that closes a critical heap-based buffer overflow vulnerability (CVE-2012-4170) in its popular graphics editing program. Both the Mac and Windows versions of Photoshop CS6 (aka Photoshop 13.0) contain a critical vulnerability that could allow an attacker to take control of affected systems.

Photoshop 13.0.1 update contains 75 other bug fixes, including 31 for problems known to cause crashes, 18 pertaining to 3D features, and 15 for drawing and graphics features. According to a Secunia advisory, the problem is caused by a boundary error in the "Standard MultiPlugin.8BF" module when processing certain PNG image files. Both Windows and Mac OS X versions of Photoshop CS6 (13.0) are affected and upgrading to the new 13.0.1 release fixes the problem.

Photoshop CS6 13.0.1 Update Now Available

Posted by Barry Young on Aug 30, 2012

Today, we released an update to Photoshop CS6 with version 13.0.1. This update fixes a number of functional, crashing, and performance issues across the product.

How To Get The Update

1. In Photoshop, choose Help > Updates
2. The Adobe Application Manager will launch. Select Adobe Photoshop CS6 and choose Update

Noteworthy Fixes

We fixed a total number of 76 core issues in 13.0.1, including:

2 Security fixes (http://www.adobe.com/go/apsb12-20)
31 Crashing fixes
18 fixes to 3D features
15 fixes to Drawing and Graphics features

Here are some specific fixes for the following bugs:

3D: Reflection does not render when ray Traced
3D: Ray Trace does not stop rendering
3D: OpenGL widget stops working in Full Screen Windows
Paths and Shapes: No way to select a Shape layer without path getting activated
Paths and Shapes: Shapes do not constrain properly with non-square pixels
Paths and Shapes: Unable to type on paths or shape layer
Paths and Shapes: Vector Layers Copy/Paste attributes not actionable
Paths and Shapes: No vector preview when transforming shape layers.
Windows task bar location & image window problem
Paint is offset with Grip Pen
Actions: An action that copies, closes, and pastes to another open image gives error that it cannot paste Documents open as floating
Actions: CS4/5 Actions that include “Use legacy” option are not using legacy in CS6
Liquify: Mac 10.8: Corruption when using large images on a background layer
Type: Extensis: Update All Text Layer becomes available after replace missing fonts
Layer Comps: “Could not complete your request because the result would be too big” displayed with this CS5 sample file
Group Styles: Some blending options not saved with file
Video playback should use draft quality for faster playback
After crop, Adjustment layers with dropdown menus become grayed out in properties panel
Channels Panel: Thumbnails don’t update after moving layer
Performance: Moving layers is slow compared to CS5 if layer palette is visible and thumbnails are showing

Security update available for Adobe Photoshop CS6

Release date: August 30, 2012

Last updated: August 31, 2012

Vulnerability identifier: APSB12-20

CVE number: CVE-2012-4170, CVE-2012-0275

Platform: Windows and Macintosh

Adobe has released a security update for Adobe Photoshop CS6 (13.0) for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Note that Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows and Macintosh are not affected by these vulnerabilities. No update is required for users of Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows and Macintosh.

Adobe recommends users of Adobe Photoshop CS6 (13.0) update their product installations by following the instructions provided in the technote: http://blogs.adobe.com/photoshopdotcom/2012/08/photoshop-cs6-13-0-1-update-now-available.html.

======================================================

08/21/12

Flash Player update – again, plus Air

Adobe Systems released fixes on Tuesday for six critical vulnerabilities affecting its Flash multimedia application and AIR runtime, five of which could allow for remote code execution on a system. The updates affect Windows, Macintosh, Linux, Google Chrome and users of Android 2.x, 3.x and 4.x devices

Users for Windows and Macintosh might consider updating to the newest Flash Player version 11.4.402.265 by downloading it from the Adobe Flash Player Download Center rather than wait for the built in auto-update mechanism due to the importance of these updates.

Security updates available for Adobe Flash Player and Air

Release date: August 21, 2012

Vulnerability identifier: APSB12-19

Priority: See table below

CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh.
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to the Adobe AIR 3.4.0.2540.

Affected software versions

Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
Adobe AIR 3.3.0.3650 and earlier versions for Android

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.

Solution

Adobe recommends users update their software installations by following the instructions below:

Adobe recommends users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to the newest version 11.4.402.265 by downloading it from the Adobe Flash Player Download Center. Windows users and users of Adobe Flash Player 10.3.x or later for Macintosh can also install the update via the update mechanism within the product when prompted.
Adobe recommends users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238 by downloading it from the Adobe Flash Player Download Center.
For users who cannot update to Flash Player 11.4.402.265, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.23, which can be downloaded here.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh.
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17 by updating to devices that already have Flash Player installed prior to August 15, 2012.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16 by updating to devices that already have Flash Player installed prior to August 15, 2012.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to Adobe AIR 3.4.0.2540 by browsing to Google Play or the Amazon Marketplace on an Android device.

Priority and Severity ratings

Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:

Product	Updated Version	Platform	Priority Rating
Adobe Flash Player	11.4.402.265	Windows	1
	11.4.402.265	Macintosh	2
	11.2.202.238	Linux	3
	11.1.115.17	Android 4.x	3
	11.1.111.16	Android 3.x and 2.x	3
Adobe AIR	3.4.0.2540	Windows and Macintosh	3
	3.4.0.2540	SDK (including AIR for iOS) and Android	3

These updates address critical vulnerabilities in the software.

Details

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.4.402.265.
Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh
Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17.
Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16.
Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.
Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to the Adobe AIR 3.4.0.2540.

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).

These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).

======================================================

Week ending 08/18/12

Adobe Updates 08/14/12

Adobe released Adobe Reader v 10.1.4 and v 9.5.2 as well as Shockwave v 11.6.6.636 and Flash Player v 11.3.300.271 for both IE and Plug-In browsers. All updates should be treated as critical and installed as soon as possible, and note that the Flash Player vulnerability fixed by the new version is already being actively exploited.

Adobe Security bulletins are here –

Reader - http://www.adobe.com/support/security/bulletins/apsb12-16.html

Shockwave - http://www.adobe.com/support/security/bulletins/apsb12-17.html

Flash Player - http://www.adobe.com/support/security/bulletins/apsb12-18.html

I also have the bulletins below for your convenience

***************

Quick Look

APSB12-16: Security updates available for Adobe Reader and

Acrobat

Originally posted: August 14, 2012

Summary:

Adobe has released security updates for Adobe Reader and

Acrobat X (10.1.3) and earlier versions for Windows and

Macintosh.  These updates address vulnerabilities in the

software that could cause the application to crash and

potentially allow an attacker to take control of the

affected system.

Adobe recommends users update their product installations to

the latest versions:

- Users of Adobe Reader X (10.1.3) and earlier versions for

Windows and Macintosh should update to Adobe Reader X

(10.1.4).

- For users of Adobe Reader 9.5.1 and earlier versions for

Windows and Macintosh, who cannot update to Adobe Reader X

(10.1.4), Adobe has made available the update Adobe Reader

9.5.2.

- Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh

should update to Adobe Acrobat X (10.1.4).

- Users of Adobe Acrobat 9.5.1 and earlier versions for Windows

and Macintosh should update to Adobe Acrobat 9.5.2.

Learn more: http://click.mail.adobesystems.com/?qs=f66740a3a257d03bf7388d465f074edc9e2000b3068e5c11eef99079454390b04fdcc0a8689d89d5

Priority and Severity Ratings:

Adobe categorizes these updates as priority 2, addressing

critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=f66740a3a257d03b914e3ffc560fb9837689ee86a9f936c925eb9dbba2d55e7cdbe9c488e1a8414e

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-17: Security update available for Adobe Shockwave

Player

Originally posted: August 14, 2012

Summary:

Adobe has released an update for Adobe Shockwave Player

11.6.5.635 and earlier versions on the Windows and Macintosh

operating systems.  This update addresses vulnerabilities

that could allow an attacker, who successfully exploits

these vulnerabilities, to run malicious code on the affected

system.  Adobe recommends users of Adobe Shockwave Player

11.6.5.635 and earlier versions update to Adobe Shockwave

Player 11.6.6.636 using the instructions provided in the

Security Bulletin.

Learn more: http://click.mail.adobesystems.com/?qs=f66740a3a257d03b8cfa25d975383365e5f64c13090e28b90313fa7f9f6a4dc3aad5c7973e9a8e30

Priority and Severity Ratings:

Adobe categorizes this update as priority 2, addressing

critical vulnerabilities:

http://click.mail.adobesystems.com/?qs=f66740a3a257d03b914e3ffc560fb9837689ee86a9f936c925eb9dbba2d55e7cdbe9c488e1a8414e

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-18: Security update available for Adobe Flash Player

Originally posted: August 14, 2012

Summary:

Adobe has released security updates for Adobe Flash Player

11.3.300.270 and earlier versions for Windows, Macintosh and

Linux.  These updates address a vulnerability

(CVE-2012-1535) that could cause the application to crash

and potentially allow an attacker to take control of the

affected system.

There are reports that the vulnerability is being exploited

in the wild in limited targeted attacks, distributed through

a malicious Word document.  The exploit targets the ActiveX

version of Flash Player for Internet Explorer on Windows.

Adobe recommends users update their product installations to

the latest versions:

- Users of Adobe Flash Player 11.3.300.270 and earlier

versions for Windows and Macintosh should update to Adobe

Flash Player 11.3.300.271.

- Users of Adobe Flash Player 11.2.202.236 and earlier versions

for Linux should update to Adobe Flash Player 11.2.202.238.

- Flash Player installed with Google Chrome will be updated

automatically, so no user action is required.  Google Chrome

users can verify that they have updated to Google Chrome

version 21.0.1180.79.

Learn more: http://click.mail.adobesystems.com/?qs=f66740a3a257d03b796060a6dcb508c06df13bd409cd45e29afc1695012fbac0bb010f1f1c10c61d

Priority and Severity Ratings:

Adobe categorizes this update as priority 1, addressing

a critical vulnerability:

http://click.mail.adobesystems.com/?qs=f66740a3a257d03b914e3ffc560fb9837689ee86a9f936c925eb9dbba2d55e7cdbe9c488e1a8414e

======================================================

08/02/12

New Flash Player Released

Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe). There are no other fixes or changes provided with this build. This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi's (available on the distribution page.) No other platforms are affected.

Please be aware that this release is not available from the Product Download Center (http://get.adobe.com/flashplayer) which will continue to provide 11.3.300.268. We realize that this might cause confusion for some users. Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug. Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center. The next release of Flash Player will correct this disparity. Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical.

This release will be distributed using the following methods:

Silent auto update - If enabled and functional, the silent auto update service will automatically install this build within 24 hours.

Direct download - You can download the installers directly using the links below
- Flash Player for ActiveX (Internet Explorer)
- Flash Player Plug-In (All other browsers)

Flash Player Distribution page for distribution license agreement holders

Flash Player Archive Page

For full details on the 11.3 release, please see our release notes.

For those encountering problems with Flash Player, please see this tech note for suggestions and instructions on reporting Flash Player bugs

Firefox users crashing with Flash Player 11.3 who are willing to assist us in determining the cause of the crashes, please download and install the Firefox 15 beta release and submit all crash reports when they occur. Crash logs created and submitted with Firefox 15 will allow us to gather critical details that are missing from the current crash reports that are being generated with Firefox 13 and 14 and earlier versions.

We are still in the process of updating all download locations. If you encounter a broken or missing link, please clear your browser cache and try again. If the problem is not resolved within 24 hours, please create a forum post or send email to ccampbel@adobe.com.

***************

That all being said by Adobe, I have one issue to bring up – namely Adobe’s claim that ‘Silent auto update - If enabled and functional, the silent auto update service will automatically install this build within 24 hours’ because that’s what is causing the crash on most machines. I therefore recommend you download and manually install the latest version 11.3.300.270 and be done with the issue. If you have been encountering on-screen messages that the ‘Adobe Updater Service has Encountered Problems and Needs to Close’, then you definitely have the crashing issue and should manually update to the Flash Player version above as the automatic updater is definitely not working. Although this issue seems to be most prevalent on Windows XP machines, I have already encountered it on Windows 7 machines as well.

=====================================================

06/22/12

Flash Player Updated to cure Firefox Crashes

Adobe yesterday updated Flash Player to solve a weeks-long problem for users of Mozilla's Firefox browser.

The update, Flash Player 11.3.300.262, applies only to Firefox on Windows. Adobe claimed that there were "different causes" for the crashes, which seemed to be concentrated on Windows Vista and Windows 7 machines.

Flash Player 11.3.300.262 can be downloaded from Adobe's website. Firefox users can also wait for Flash's silent updater to automatically download and install the new plug-in.

The newest Flash Player plug-in update applies only to Windows, and patches a bug that caused crashes in Mozilla's Firefox.

======================================================

06/12/12

Adobe Cold Fusion

Adobe released a security hotfix for ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. This vulnerability could add or modify additional headers, which might cause unexpected behavior. This update resolves an HTTP response splitting vulnerability in the ColdFusion Component Browser.

Affected software –

ColdFusion 9.0.1, 9.0, 8.0.1, and 8.0 for Windows, Macintosh and UNIX

*Note: ColdFusion 10 for Windows, Macintosh and UNIX is not affected by this issue.

Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-15.html.

Adobe Security Bulletin APSB12-15 is here - http://www.adobe.com/support/security/bulletins/apsb12-15.html

CVE-2012-2041 is here - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2041

********************

Flash Player

Last week Adobe released a new update for Flash Player (v 11.3.300.257) and urged all users to upgrade to the newest version of the series they are using. The weakness is a simple MP4 Buffer Overflo covered in CVE-2011-2140.

To update you - A simple buffer overflow attack exists in the way Adobe

Flash parses certain chunks of MP4 files. Public exploits exist, and

have been incorporated into the Chinese Yang Pack exploit kit. Active

exploitation of this vulnerability has been observed in the wild.

Make sure you get this updated.

======================================================

Week ending 06/09/12

06/08/12

Critical Security updates for Flash Player and Air

Adobe released new versions of Flash Player and Adobe Air Runtime to address multiple security vulnerabilities in the software. At least 7 bugs are patched by these updates.

The Adobe Flash Player bulletins are located here –

http://www.adobe.com/support/security/bulletins/apsb12-14.html

with additional information including the Sandbox here –

http://blogs.adobe.com/asset/2012/06/flash-player-11-3-delivers-additional-security-capabilities-for-mac-and-firefox-users.html

Flash Player current version for Windows is now v 11.3.300.257

Air current version is now v 3.3.0.3610

Adobe also released a very good write-up on Flash Player Protected Mode (Sandbox) for Firefox running on Windows Vista and newer only (no sandbox for XP as the OS will not support it) that is well written and illustrated and will give you all the detailed information on how it works. This is the first non-beta public release version of Flash Player to include the sandbox, and I suggest you give this a good read -

http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

For Mac users, the update also includes the background updater for Mac OS X and is now signed with an Apple Developer ID, so that Flash Player can work with the new Gatekeeper technology for Mac OS X Mountain Lion (10.8).

To the best of my knowledge, the sandbox feature is still not available for Internet Explorer or Mac users at this time.

Adobe recommends users update their software installations by following the instructions below:

Adobe recommends users of Adobe Flash Player 11.2.202.235 and earlier versions for Windows and Macintosh should update to the newest version 11.3.300.257 by downloading it from the Adobe Flash Player Download Center. Windows users of Flash Player 11.2.x who have selected the silent update option will receive the update automatically. Windows users who do not have the silent update option enabled and users of Adobe Flash Player 10.3.x or later for Macintosh can also install the update via the update mechanism within the product when prompted.
Adobe recommends users of Adobe Flash Player 11.2.202.235 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.236 by downloading it from the Adobe Flash Player Download Center.
Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 19.0.1084.56, which includes Adobe Flash Player 11.3.300.257.
For users who cannot update to Flash Player 11.3.300.257, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.20, which can be downloaded here.
Users of Adobe Flash Player 11.1.115.8 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.9 by browsing to Google play on an Android device. Users of Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.10 by browsing to Google play on an Android device.
Adobe recommends users of Adobe AIR 3.2.0.207 and earlier versions for Windows, Macintosh and Android update to Adobe AIR 3.3.0.3610.

What Adobe Fixed –

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-2034).

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2012-2035).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-2036).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-2037).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2012-2038).

These updates resolve null dereference vulnerabilities that could lead to code execution (CVE-2012-2039).

These updates resolve a binary planting vulnerability in the Flash Player installer that could lead to code execution (CVE-2012-2040).

********************

06/04/12

Adobe made good on its promise to update earlier versions of Illustrator and Photo Shop

http://blogs.adobe.com/psirt/2012/06/adobe-photoshop-and-illustrator-security-bulletins-updated.html

At the same time, Adobe released security patches for Adobe Illustrator CS5 (15.0) and Adobe Illustrator CS5.5 (15.1). These address six vulnerabilities that could be exploited in a similar manner and for the same goal as the Photoshop ones.

Adobe is not aware of any ongoing attacks that target the vulnerabilities patched by the newly released Photoshop and Illustrator security updates, the company said in the corresponding security bulletins.

Adobe Flash Professional CS5.5.1 remains vulnerable to a buffer overflow vulnerability that can lead to arbitrary code execution. The company is working on a patch and will release it at a later date.

APSB12-10 – updated release of updates for Adobe Illustrator CS5 (15.0.x) and CS5.5 (15.1)

http://www.adobe.com/support/security/bulletins/apsb12-10.html

http://blogs.adobe.com/psirt/2012/06/adobe-photoshop-and-illustrator-security-bulletins-updated.html

======================================================

Week ending 05/12/12

May Adobe Security Bulletins

First – a reminder from last week – emergency release

APSB12-09: Security update available for Adobe Flash Player

Originally posted: May 4, 2012

Summary:
Adobe released security updates for Adobe Flash Player 11.2.202.233
and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player
11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player
11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates
address an object confusion vulnerability (CVE-2012-0779) that could
cause the application to crash and potentially allow an attacker to take
control of the affected system.
There are reports that the vulnerability is being exploited in the wild
in active targeted attacks designed to trick the user into clicking on
a malicious file delivered in an email message. The exploit targets
Flash Player on Internet Explorer for Windows only.

Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier
versions for Windows, Macintosh and Linux update to Adobe Flash Player
11.2.202.235. Flash Player installed with Google Chrome was updated
automatically, so no user action is required. Users of Adobe Flash Player
11.1.115.7 and earlier versions on Android 4.x devices should update to
Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8
and earlier versions for Android 3.x and earlier versions should update
to Flash Player 11.1.111.9.

***************

Now for this week -

Adobe has released their monthly security bulletins:

Security Bulletin for Adobe Illustrator - APSB12-10 - http://www.adobe.com/support/security/bulletins/apsb12-10.html
Security Bulletin for Adobe Photoshop - APSB12-11- http://www.adobe.com/support/security/bulletins/apsb12-11.html
Security Bulletin for Adobe Flash Professional - APSB12-12 - http://www.adobe.com/support/security/bulletins/apsb12-12.html
Security update available for Adobe Shockwave Player - APSB12-13 - http://www.adobe.com/support/security/bulletins/apsb12-13.html

Note that APSB12-12 addresses Flash Professional, not the flash player add-on to your browser. Also of note is that the first three bulletins simply inform users that their current version of the software is vulnerable, and that the upgraded version isn't. No free security patch options, just pay to upgrade. At least the Shockwave player update is free.

For the average user, updating Shockwave is the priority at hand if you have it installed. The updated version (v 11.6.5.635) fixes five security bugs (memory corruption issues) in the player that could allow an attacker to take control of the system and run arbitrary code of his choice.

This is the Adobe Security Bulletin information for May -

***************

APSB12-13: Security update available for Adobe Shockwave

Originally posted: May 8, 2012

Summary:
Adobe released a security update for Adobe Shockwave Player 11.6.4.634
and earlier versions for Windows and Macintosh. This update addresses
vulnerabilities that could allow an attacker who successfully exploits
these vulnerabilities to run malicious code on the affected system.

Adobe recommends users of Adobe Shockwave Player 11.6.4.634 and earlier
for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635
using the instructions provided in the Security Bulletin.

Learn more: http://click.mail.adobesystems.com/?qs=3f5b3a962338e209795554fb8fc8ba71f94c761a005106457e08616279de4b2bdac3af93a22152b1

Priority and Severity Ratings:
Adobe categorizes these updates as priority 2, addressing
critical vulnerabilities:
http://click.mail.adobesystems.com/?qs=3f5b3a962338e2093b58c07ab7b4f0623ed7675fa66db5f07e3e63773a9ba3188c5af27f7afdad25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-10: Security bulletin for Adobe Illustrator

Originally posted: May 8, 2012

Summary:
Adobe released a security upgrade for Adobe Illustrator CS5.5 and
earlier for Windows and Macintosh. This upgrade addresses
vulnerabilities that could allow an attacker who successfully
exploits these vulnerabilities to take control of the affected system.

Adobe has released Adobe Illustrator CS6, which addresses these
vulnerabilities. For users who cannot upgrade to Adobe Illustrator CS6,
Adobe recommends users follow security best practices and exercise
caution when opening files from unknown or untrusted sources.

Learn more: http://click.mail.adobesystems.com/?qs=3f5b3a962338e209f53b77614843c21aec862c0ad3a9ac5fdb73f1d7c96499cdb7ba7171256f3f14

Priority and Severity Ratings:
Adobe categorizes these updates as priority 3, addressing
critical vulnerabilities:
http://click.mail.adobesystems.com/?qs=3f5b3a962338e2093b58c07ab7b4f0623ed7675fa66db5f07e3e63773a9ba3188c5af27f7afdad25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-11: Security bulletin for Adobe Photoshop

Originally posted: May 8, 2012

Summary:
Adobe released a security upgrade for Adobe Photoshop CS5.5 and earlier
for Windows and Macintosh. This upgrade addresses vulnerabilities that
could allow an attacker who successfully exploits these vulnerabilities
to take control of the affected system.

Adobe has released Adobe Photoshop CS6, which addresses these
vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6,
Adobe recommends users follow security best practices and exercise
caution when opening files from unknown or untrusted sources.

Learn more: http://click.mail.adobesystems.com/?qs=3f5b3a962338e209c15753462b1430ffd6b6172fc0c7376812d74421b62a16537eaa1a28753d833f

Priority and Severity Ratings:
Adobe categorizes these updates as priority 3, addressing
critical vulnerabilities:
http://click.mail.adobesystems.com/?qs=3f5b3a962338e2093b58c07ab7b4f0623ed7675fa66db5f07e3e63773a9ba3188c5af27f7afdad25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB12-12: Security bulletin for Adobe Flash Professional

Originally posted: May 8, 2012

Summary:
Adobe released a security upgrade for Adobe Flash Professional CS5.5
11.5.1.349 and earlier for Windows and Macintosh. This upgrade addresses
a vulnerability that could allow an attacker who successfully exploits
this vulnerability to take control of the affected system.

Adobe has released Adobe Flash Professional CS6, which addresses this
vulnerability. For users who cannot upgrade to Adobe Flash Professional
CS6, Adobe recommends users follow security best practices and exercise
caution when opening files from unknown or untrusted sources.

Learn more: http://click.mail.adobesystems.com/?qs=3f5b3a962338e2097a6130177034d0c8069d20e8a0efd3782cb082086c20ef5599512bd27b7c2166

Priority and Severity Ratings:
Adobe categorizes these updates as priority 3, addressing
critical vulnerabilities:
http://click.mail.adobesystems.com/?qs=3f5b3a962338e2093b58c07ab7b4f0623ed7675fa66db5f07e3e63773a9ba3188c5af27f7afdad25

============================================================

Security update available for Adobe Shockwave Player

Release date: May 8, 2012

Vulnerability identifier: APSB12-13

Priority: 2

CVE number: CVE-2012-2029, CVE-2012-2030, CVE-2012-2031, CVE-2012-2032, CVE-2012-2033

Platform: Windows and Macintosh

Summary

Adobe released a security update for Adobe Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to run malicious code on the affected system.

Adobe recommends users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635 using the instructions provided in the "Solution" section below.

Affected software versions

Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh

Solution

Adobe recommends users of Adobe Shockwave Player 11.6.4.634 and earlier versions update to the newest version 11.6.5.635, available here: http://get.adobe.com/shockwave/.

Priority and Severity ratings

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product	Updated Version	Platform	Priority Rating
Adobe Shockwave Player	11.6.5.635	Windows and Macintosh	2

This update addresses critical vulnerabilities in the software.

Details

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-2029).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-2030).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-2031).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-2032).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-2033).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Rodrigo Rubira Branco of Qualys Vulnerability & Malware Research Labs (VMRL) (CVE-2012-2029, CVE-2012-2030, CVE-2012-2031)
Honggang Ren of Fortinet's FortiGuard Labs (CVE-2012-2032, CVE-2012-2033)

============================================================

Adobe Flash Player 11.3 Beta Offers Silent Updates for Macs, Sandboxing for Firefox

(May 7, 2012)

Adobe has released a beta version of Flash Player that includes silent

updates for Mac OS X. The automated update tool queries Adobe servers

every hour until it receives a response. If there is no update available

once it reaches the servers, it waits 24 hours and begins the process

again. If an update is found, it is automatically installed with no user

interaction. Flash 11.3 has the automatic update feature switched on by

default, but users have the option of changing that setting so that they

get alerts on the screen. Flash 11.3 also includes a protected, or

sandbox, mode for users running Firefox on Windows Vista or more current

Windows operating systems.

http://www.computerworld.com/s/article/9226921/Adobe_preps_silent_Flash_updates_for_Macs?taxonomyId=17

http://www.h-online.com/security/news/item/Flash-11-3-to-bring-protected-mode-for-Firefox-1569608.html

============================================================

Security Bulletins for Adobe Photoshop CS5.5, Adobe Illustrator and Flash Professional

Adobe is reporting critical vulnerabilities for Photoshop CS5 and Illustrator indicating:

“Adobe released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system” - and - “Adobe released a security upgrade for Adobe Illustrator CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.”

These vulnerabilities are all of the critical nature, which if exploited could lead to a compromise of the system, without user interaction. This vulnerability exists for both the Mac and Windows versions of the software. So be on the lookout for more updates for older version of the Adobe CS suite.

The only other option for immediate remediation for CS 5 versions and older would be to upgrade to Adobe Suite CS 6 versions of this software which could be quite an expensive solution. Note that Adobe is ‘working on’ fixes for the CS 5 and older versions, but they have not yet been released, so be on the lookout for further releases for these versions.

Update to Security Bulletins for Adobe Illustrator (APSB12-10), Adobe Photoshop (APSB12-11) and Adobe Flash Professional (APSB12-12)

We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http ://blogs.adobe.com /psirt or by subscribing to the RSS feed at http ://blogs.adobe.com /psirt /atom.xml.

We just updated the following Security Bulletins initially posted on Tuesday, May 8, 2012:

======================================================

05/04/12

Critical 0-day patch for Adobe Flash Player

5/4/12

Adobe released an critical emergency updated version of Flash Player (v 11.2.203.235) to combat a 0-day flaw that has already been used in limited targeted attacks via malicious files delivered by email (the current attacks exploit Flash Player in Internet Explorer on Windows machines, but all versions are vulnerable), so I advise users to update immediately if they do not already have the silent update option selected that was introduced with the last update of Flash Player (v 11.2.203.233 in March, 2012). Even if you do have the silent updates selected, I strongly suggest you check to be sure you are updated to v 11.2.203.235.

If you cannot update to Flash Player 11.2.202.235, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.19, which can be downloaded here.

Affected Flash Player Versions –

Windows, Macintosh and Linux version 11.2.202.233 and earlier
Android 4.x version 11.1.115.7 and earlier
Android 3.x and 2.x version 11.1.111.8 and earlier

The actual vulnerability addressed is object confusion vulnerability (CVE-2012-0779). If exploited, it could cause the application crash and potentially allow an attacker to take control of the system. The security bulletin is posted here and the update can be downloaded here.

======================================================

04/10/12

Adobe Tuesday

Adobe has released new versions of Adobe Acrobat and Adobe Reader (v 10.1.3 and v 9.5.1) to address multiple Security issues in both Adobe Reader and the included Flash Player packages. The four vulnerabilities are listed below:

CVE-2012-0774: integer overflow in the True Type Font (TTF) handling
CVE-2012-0775: memory corruption in the JavaScript handling
CVE-2012-0776: security bypass via the Adobe Reader installer
CVE-2012-0777: memory corruption in the JavaScript API

All the vulnerabilities above allow for random code execution

Adobe recommends users of Adobe Reader X (10.1.2) and
earlier versions for Windows and Macintosh update to Adobe
Reader X (10.1.3). For users of Adobe Reader 9.5 and earlier
versions for Windows and Macintosh, who cannot update to
Adobe Reader X (10.1.3), Adobe has made available the update
Adobe Reader 9.5.1. Adobe recommends users of Adobe Reader
9.4.6 and earlier versions for Linux update to Adobe Reader
9.5.1. Adobe recommends users of Adobe Acrobat X (10.1.2)
for Windows and Macintosh update to Adobe Acrobat X
(10.1.3). Adobe recommends users of Adobe Acrobat 9.5 and
earlier versions for Windows and Macintosh update to Adobe
Acrobat 9.5.1.

Manual download of the updates and various versions is here –

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

Important Notes – for using the manual downloads and updates:

Users should be aware that the update for v 9.5.1 is an update package only and not a full version of the Reader. If you are starting from scratch and need Adobe Reader 9, you need to download and install v 9.5.0 first and then download and install the v 9.5.1 update.

The same is true for the update for v 10.1.3 which is an update package only and not a full version of the Reader. If you are starting from scratch and need Adobe Reader 10, you need to download and install v 10.1 first and then download and install v 10.1.1 followed by v 10.1.2 followed by v 10.1.3

***************

Toymaster Security Lab

Private Web Site

Rate This Site

Adobe

Photoshop CS6 13.0.1 Update Now Available

Security update available for Adobe Photoshop CS6

Security updates available for Adobe Flash Player and Air

Summary

Affected software versions

Solution

Priority and Severity ratings

Details

May Adobe Security Bulletins

First – a reminder from last week – emergency release

***************

Now for this week -

Security update available for Adobe Shockwave Player

Summary

Affected software versions

Solution

Priority and Severity ratings

Details

Acknowledgments

Update to Security Bulletins for Adobe Illustrator (APSB12-10), Adobe Photoshop (APSB12-11) and Adobe Flash Professional (APSB12-12)