Tag Archives: Adobe

Krebs: Jan 14 Security Updates for Windows, Java, Flash & Reader

Krebs On Security

Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.

http://krebsonsecurity.com/2014/01/security-updates-for-windows-flash-reader/

Security Advisory 2755801 revised to address Adobe Flash Player issues

MSRC

6 Nov 2012 10:00 AM

Today, in conjunction with Adobe’s update process, we have revised Security Advisory 2755801 to address issues in Adobe Flash Player in Internet Explorer 10. Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.

We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

http://blogs.technet.com/b/msrc/archive/2012/11/06/security-advisory-2755801-revised-to-address-adobe-flash-player-issues-nov-6-2012.aspx

Adobe Flash Player Security update available

Adobe Product Security Incident Response Team (PSIRT) Blog

Today, a Security Bulletin (APSB11-05) has been posted to address a critical security issue (CVE-2011-0609) in Adobe Flash Player, as referenced in Security Advisory Security Advisory APSA11-01. This Security Bulletin affects Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. Adobe recommends users apply the updates for their product installations.

http://blogs.adobe.com/psirt/2011/03/security-update-available-for-adobe-flash-player-apsb11-05.html

Adobe Sandbox-Protected Reader X Available

Reader X for Windows implements a sandbox architecture functionality that opens PDF files in an isolated instance of the application. This helps protect a computer from malicious code that may be contained in a PDF file.

Adobe Reader Protected Mode represents an exciting new advancement in mitigating the impact of attempted attacks. While sandboxing is not a security silver bullet, it provides a strong additional level of defense against attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims’ computers.

http://blogs.adobe.com/asset/2010/11/adobe-reader-x-is-here.html

“Protected Mode” is enabled by default.

On the download page there is a pre-checked box to include McAfee Security Scan Plus. If you do not want this added to your download uncheck the box before hitting “Download now”.

Note also that Adobe states, “You may have to temporarily disable your antivirus software.” I did not run into any issues leaving mine enabled but it may depend on the AV you have installed.

Adobe critical update

Tuesday Adobe issued a Critical update to patch at least two security holes in its PDF Reader and Acrobat software.

Release date: November 16, 2010
Vulnerability identifier: APSB10-28
CVE numbers: CVE-2010-3654, CVE-2010-4091
Platform: All Platforms

In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog (“Potential issue in Adobe Reader“), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.

Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.

Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

http://www.adobe.com/support/security/bulletins/apsb10-28.html

Microsoft Malware Protection Center
Explore the CVE-2010-3654 matryoshka

http://blogs.technet.com/b/mmpc/archive/2010/11/16/explore-the-cve-2010-3654-matryoshka.aspx

Security updates available for Adobe Reader and Acrobat

Release date: October 5, 2010
Vulnerability identifier: APSB10-21

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)
Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and
earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

Note that the October 5, 2010 updates represent an accelerated release of the next quarterly
security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe
will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next
quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

http://www.adobe.com/support/security/bulletins/apsb10-21.html

Adobe Secure Software Engineering Team Blog on sandboxing technology that will help contain malicious code execution.

Inside Adobe Reader Protected Mode – Part 1 – Design
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html

Adobe Flash Critical Vulnerability

Yes another one…

September 13, 2010
Vulnerability identifier: APSA10-03

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

http://www.adobe.com/support/security/advisories/apsa10-03.html

September 8, 2010
Vulnerability identifier: APSA10-02

http://www.adobe.com/support/security/advisories/apsa10-02.html

Researchers clash over possible return of Google attackers

http://www.networkworld.com/news/2010/091410-researchers-clash-over-possible-return.html

Adobe Reader and Acrobat out-of-cycle Security updates available

August 19, 2010
All Platforms

Critical vulnerabilities have been identified in Adobe Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.3 (and earlier versions) and Adobe Acrobat 8.2.3 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.

Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4.

Note that today’s updates mentioned in this bulletin represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat is scheduled for October 12, 2010.

http://www.adobe.com/support/security/bulletins/apsb10-17.html

Adobe Flash Player Security update available

Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.

http://www.adobe.com/support/security/bulletins/apsb10-16.html

Adobe-Security updates available

Security bulletin

This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-1285).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2168).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2201).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2202).

This update resolves a UNIX-only memory corruption vulnerability that could lead to code execution (CVE-2010-2203).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-2204).

This update resolves an uninitialized memory vulnerability that could lead to code execution (CVE-2010-2205).

This update resolves an array-indexing error vulnerability that could lead to code execution (CVE-2010-2206).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2207).

This update resolves a dereference deleted heap object vulnerability that could lead to code execution (CVE-2010-2208).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2210).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2211).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2212).

http://www.adobe.com/support/security/bulletins/apsb10-15.html