Heartbleed Update

Last week, industry security researchers announced a flaw in the OpenSSL encryption software library, known as “Heartbleed,” which can be used to cause a vulnerable system to reveal up to 64k of memory to an attacker.

Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), Echosign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks.

Some Adobe products and services do not bundle OpenSSL (such as ColdFusion, Experience Manager and Experience Manager On-Demand) but are frequently deployed by customers on-premise or with third party web servers. We advise these customers to test for the Heartbleed vulnerability (CVE-2014-0160) against their deployment and configuration. If necessary, follow the recommendations provided by the OpenSSL security advisory as appropriate.

At this time, Adobe does not plan to initiate a password reset in response to the Heartbleed vulnerability; however it is always a good practice to change passwords from time to time. We strongly recommend that you change your Adobe password if you use the same user ID and password as your AdobeID and password on multiple websites, so that a compromise of your username and password on a non-Adobe service does not put your Adobe ID at risk.

Security updates available for Adobe Flash Player (APSB14-09)

A Security Bulletin (APSB14-09) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.

Security update available for Adobe Shockwave Player (APSB14-10)

A Security Bulletin (APSB14-10) has been published regarding an update for Adobe Shockwave Player 12.0.9.149 and earlier for Windows and Macintosh. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.9.149 and earlier versions update to Adobe Shockwave Player 12.1.0.150 using the instructions referenced in the security bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Security updates available for Adobe Flash Player (APSB14-08)

A Security Bulletin (APSB14-08) has been published regarding updates for Adobe Flash Player. These security updates address important vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Security updates available for Adobe Flash Player (APSB14-07)

A Security Bulletin (APSB14-07) has been published regarding an update for Adobe Flash Player. This security update addresses critical vulnerabilities that could potentially allow an attacker to remotely take control of the affected system.

Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Security update available for Adobe Shockwave Player (APSB14-06)

A Security Bulletin (APSB14-06) has been published regarding an update for Adobe Shockwave Player 12.0.7.148 and earlier for Windows and Macintosh.  This update addresses critical vulnerabilities that could potentially allow an attacker to remotely take control of the affected system.  Adobe recommends users of Adobe Shockwave Player 12.0.7.148 and earlier versions update to Adobe Shockwave Player 12.0.9.149 using the instructions referenced in the security bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Security updates available for Adobe Flash Player (APSB14-04)

A Security Bulletin (APSB14-04) has been published regarding a critical vulnerability (CVE-2014-0497) in Adobe Flash Player 12.0.0.43 and earlier for Windows and Macintosh. This vulnerability could allow an attacker to remotely take control of the affected system.

Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users apply the updates referenced in the security bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Security Bulletins Posted

Today, we released the following Security Bulletins:

Customers of the affected products should consult the relevant Security Bulletin(s) for details.

 This posting is provided “AS IS” with no warranties and confers no rights.

Prenotification: Upcoming Security Updates for Adobe Reader and Acrobat (APSB14-01)

A prenotification Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, January 14, 2014.

We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe License Key Email Scam

Adobe is aware of reports that a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should delete it immediately without downloading attachments or following hyperlinks that may be included in the message.

For more information on protecting yourself from phishing attempts, please visit http://www.adobe.com/security/prevent-phishing.html

This posting is provided “AS IS” with no warranties and confers no rights.