Adobe Product Security Incident Response Team (PSIRT)

We have just released an important update for Acrobat 7 and Adobe Reader 7 users, which resolves the issues previously mentioned in Security Advisory APSA08-01. If you have already updated to Reader 8.1.2 or Acrobat 8.1.2, you are all set. But, if you are using Acrobat 7, or if you are using Adobe Reader 7 and can’t update to Reader 8, please review Security Bulletin APSB08-13 and update your installations accordingly. As previously mentioned, we have heard reports of one of the issues being exploited in the wild, so please update if you haven’t already.

Also note that we released Security Advisory APSA08-05 for After Effects CS3 today, in response to a public posting of a BMP-handling vulnerability in After Effects. As mentioned in the advisory, it’s not a common workflow to use BMP files within After Effects, and most files used in the After Effects workflow come from trusted sources. That said, as always, we advise customers to exercise caution when receiving and opening files from untrusted sources.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 05:59 PM | Permalink | Comments (0)

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.

There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.

We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.

We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by David Lenoe at 03:58 PM | Permalink | Comments (0)

On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by Erick Lee at 05:35 PM | Permalink | Comments (1)

Quick note to let you know that we are giving advanced notice to our customers about some security enhancements in a security update to Flash Player scheduled for April 2008. This update may impact existing SWF content for some customers. The issues addressed are all previously disclosed – specifically, we’ll be providing further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007)

Note that Flash Player end users won’t be affected – all they need to do is update their Flash Player once the update goes live. But, if customers have SWF content on their websites, we’re advising them to review the upcoming Flash Player updates as described in this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing any necessary changes before the update is released.

Customers for whom the following situations apply should read the article in detail:
- Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
- Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
- Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
- Use of “javascript:” through network APIs to communicate outside a SWF

There’s lots of info in the article, which also links to technotes with more details about how to make the changes.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 04:32 PM | Permalink | Comments (0)

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:

- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.

- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.

- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log

- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0

- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.

And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 03:04 PM | Permalink