Adobe Updates Various Plug-Ins

Adobe has released updates to address multiple vulnerabilities in both Windows and Mac platforms.

Systems affected:

• Adobe Flash Player 11.5 and earlier
• Adobe AIR 3.5 and earlier
• Adobe Shockwave Player 11.6 and earlier

Adobe recommends that users of these products apply the updates. A remote unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page. Do this for each browser you use. Google Chrome automatically updates when new versions of Flash Player are available.

See the full security bulletins regarding Adobe Flash Player and Adobe Shockwave Player for more details and how to update to the newest versions.

Adobe Updates Flash and Cold Fusion

Adobe has released updates for Flash and AIR which include high priority fixes for Flash Player on Windows. The vulnerabilities are being actively exploited in the wild. Three vulnerabilities are addressed including a buffer overflow, an integer overflow and a memory corruption problem, all of which can, Adobe says, lead to code execution. Adobe also released a security hotfix for ColdFusion 10, not currently being exploited in the wild. The fix is available for Windows, Mac OS X and UNIX.

Learn more in the news.

Unpatched Vulnerabilities in Java Plug-In and Adobe Certificate

An unpatched vulnerability has been spotted in all versions of Java. A security researcher from Security Explorations announced the bug discovery last Tuesday. He claims the impact of the issue is critical and was able to successfully exploit it. An attacker could use the exploit to run arbitrary code and remotely compromise a vulnerable system. If you have a Java plug-in for your browser, you are vulnerable. See these steps on how to unplug Java from a browser. Note that you may not be able to view websites properly with JavaScript disabled.

In other news, Adobe says it will revoke a code signing certificate after discovering malware that was digitally signed by the certificate. Adobe is currently investigating what appears to be inappropriate use of an Adobe code signing certificate for Windows. A Microsoft spokeswoman stated: “Microsoft will take the appropriate action to help protect its customers,” and said people should contact Adobe for more information. According to Adobe, the vast majority of Adobe software for Windows will not be affected. The revocation of the certificate affects the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh. More information on the impact, and what to do, can be found on the Adobe support page.

Adobe Updates for Multiple Vulnerabilities

Update:

Here is some more information on the vulnerability in Photoshop. If a user opens a malicious GIF file with Photoshop CS 5.1 or earlier, the application could crash and an attacker could take control of the affected system.

The update for Adobe Photoshop CS 5.1 and earlier is unusual in that you can not install it through the “check for updates” tool in Photoshop, nor is it accessible through the Adobe Application Manager, which is how other updates for the Adobe products are installed.

To obtain the standard multiplugin update for Adobe Photoshop CS 5.1 and earlier, click on the appropriate link below for your system:

Photoshop CS5/CS5.1 for Windows

Photoshop CS5/CS5.1 for Windows (Win64)

Photoshop CS5/CS5.1 Macintosh

Be sure to follow the installation instructions on the downloads page.

 

————————

There are multiple vulnerabilities found in various Adobe products. This month Adobe released updates to address these vulnerabilities.

Systems affected:

• Shockwave Player 11.6 and earlier
• Flash Media Server 4 and earlier
• Adobe Flash Player 10.3 and earlier
• Adobe AIR 2.7 and earlier
• Adobe Photoshop CS5.1 and earlier
• RoboHelp 9 and earlier

Users of these Adobe products should review the relevant security bulletins and follow the recommended solutions, which in most cases involves installing the newest update. An attacker may use these vulnerabilities to run malicious code (malware) or cause a denial of service on an affected system.

Click the links below to access the security bulletins for the affected systems:

Adobe Shockwave Player

Adobe Flash Media Server

Adobe Flash Player and AIR

Adobe Photoshop CS5

RoboHelp

 

Adobe Flash Player, Reader and Acrobat Vulnerabilities

Flash Player 10.2
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris; Flash Player 10.2.156.12 and earlier for Android; and Adobe Flash Player 10.2.154.25 and earlier for Chrome users.

Adobe recommends users of Flash Player to update to version 10.2.159.1 (or Flash Player 10.2.154.27 for Chrome users), now available. Android users will have to wait until the week of April 25th for the update to version 10.2.156.12. Users of Adobe AIR should update to Adobe AIR 2.6.19140.

Read the security bulletin on Flash Player.

Download the latest Flash Player.

Reader 9 and 10
A critical vulnerability exists in the Authplay.dll component of Adobe Reader for Windows and Macintosh operating systems.

An update will be made available to Reader 9.4.3 and earlier for Windows and Macintosh and Reader X (10.0.1) for Macintosh the week of April 25th. Because Protected Mode would prevent an exploit in Adobe Reader X for Windows, Adobe will address this issue in the next quarterly security update scheduled for June 14, 2011.

Acrobat X
A critical vulnerability exists in the Authplay.dll component of Acrobat X (10.0.2) and earlier for Windows and Macintosh operating systems.

An update will be made available to Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh the week of April 25th.

Read the full bulletin from Adobe on all vulnerabilities.

Adobe Releasing Out-of-Band Patch This Week

Adobe says it will release emergency fixes for a critical flaw in Flash and Reader that is being actively exploited in targeted attacks to plant malware on vulnerable computers. The patches will be available the week of March 21, according to Adobe, and will address the problem in Adobe Flash player 10 and Adobe Reader versions 9, 10 and X, with the exception of Reader X for Windows. That version of Reader ships with a sandbox feature that has blocked the attack thus far. The attackers are using specially-crafted Microsoft Excel documents to exploit the flaw.

Read the full Adobe Security Advisory.

[Source: SANS.org]

Adobe Patches Critical Reader and Acrobat Flaws

Adobe released another out-of-band patch to fix critical flaws in Reader and Acrobat last week.

Systems affected:

• Adobe Reader 9.4 and earlier
• Adobe Acrobat 9.4 and earlier

The flaws could cause the application to crash or, more seriously, allow hackers to take control of the affected systems. The out-of-band updates also resolve a memory corruption vulnerability that could lead to code execution. The Reader flaw has been known about since the end of October and had already been exploited in the wild.

Read the full story at Computerworld.com.

Adobe Warns of Flaw in Reader, Acrobat, Flash

A new critical vulnerability is being exploited to attack computers running the PDF viewer software, Adobe warned last week. The vulnerability is not yet patched.

Systems affected:

• Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux and Solaris
• Flash Player 10.1.95.2 and earlier versions for Android
• Reader 9.4 and earlier versions for Windows, Mac and Unix
• Acrobat 9.4 and earlier versions for Windows and Mac

Earlier in October, the company plugged 23 holes in Reader and Acrobat. Adobe is adding sandbox technology designed to add more layers of protection in the next version of Adobe Reader, Reader X, due out by mid-November.

Read the full story at cnet.com.

Adobe Reader and Acrobat Affected by Multiple Vulnerabilities

Adobe has released Security Bulletin APSB10-21, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat.

Systems affected:

• Reader and Acrobat 9.3.4 and earlier
• Reader and Acrobat 8.2.4 and earlier

An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems.

These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file.

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-21 and update vulnerable versions of Adobe Reader and Acrobat.

[Source: US-CERT]

Adobe Updates Released

On August 11 and 19 Adobe released two out-of-cycle security bulletins to patch vulnerabilities discussed at the Black Hat USA 2010 security conference in July as well as vulnerabilities in Flash Player and AIR.

Systems affected:

• Adobe Reader 9.3.3 and earlier versions
• Adobe Acrobat 9.3.3 and earlier versions
• Adobe Flash Player 10.1.53.64 and earlier 10.x versions
• Adobe Flash Player 9.0.277.0 and earlier 9.x versions
• Adobe AIR 2.0.2.12610 and earlier versions

Adobe recommends users update their software with the patches either through the auto-update mechanism or by downloading them from the Adobe Download Center. The next quarterly update is scheduled for October.

The Security Bulletins for Adobe Flash and AIR and for Adobe Reader and Acrobat.