by certifiedbug on November 6, 2012
in Microsoft
MSRC
6 Nov 2012 10:00 AM
Today, in conjunction with Adobe’s update process, we have revised Security Advisory 2755801 to address issues in Adobe Flash Player in Internet Explorer 10. Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.
We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.
http://blogs.technet.com/b/msrc/archive/2012/11/06/security-advisory-2755801-revised-to-address-adobe-flash-player-issues-nov-6-2012.aspx
Reader X for Windows implements a sandbox architecture functionality that opens PDF files in an isolated instance of the application. This helps protect a computer from malicious code that may be contained in a PDF file.
Adobe Reader Protected Mode represents an exciting new advancement in mitigating the impact of attempted attacks. While sandboxing is not a security silver bullet, it provides a strong additional level of defense against attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims’ computers.
http://blogs.adobe.com/asset/2010/11/adobe-reader-x-is-here.html
“Protected Mode” is enabled by default.
On the download page there is a pre-checked box to include McAfee Security Scan Plus. If you do not want this added to your download uncheck the box before hitting “Download now”.
Note also that Adobe states, “You may have to temporarily disable your antivirus software.” I did not run into any issues leaving mine enabled but it may depend on the AV you have installed.
Tuesday Adobe issued a Critical update to patch at least two security holes in its PDF Reader and Acrobat software.
Release date: November 16, 2010
Vulnerability identifier: APSB10-28
CVE numbers: CVE-2010-3654, CVE-2010-4091
Platform: All Platforms
In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog (“Potential issue in Adobe Reader“), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.
Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.
Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.
http://www.adobe.com/support/security/bulletins/apsb10-28.html
Microsoft Malware Protection Center
Explore the CVE-2010-3654 matryoshka
http://blogs.technet.com/b/mmpc/archive/2010/11/16/explore-the-cve-2010-3654-matryoshka.aspx
