Posts in Category "Uncategorized"

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (APSA10-05)

A Security Advisory (APSA10-05) has been posted in regards to a new Flash Player, Adobe Reader and Acrobat issue (CVE-2010-3654). A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.

Adobe Reader and Acrobat 8.x, and Adobe Reader for Android are confirmed not vulnerable. Mitigations for Adobe Reader and Acrobat 9.x are included in the Security Advisory.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player 10.x for Windows, Macintosh, Linux and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Security Advisory for Adobe Shockwave Player (APSA10-04)

A Security Advisory (APSA10-04) has been posted in regards to a new Adobe Shockwave Player issue (CVE-2010-3653). A critical vulnerability exists in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system. While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability against Adobe Shockwave Player to date.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe Reader Upgrade Email Spam/Phishing Scam

It has come to Adobe’s attention that email messages purporting to offer a download of a new version of Adobe Reader have been sent by entities claiming to be Adobe. Many of these emails are signed as “Adobe Acrobat Reader Support” (or similar), and in some instances require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf.

The Adobe Reader is free software available for download directly from the Adobe Reader download page on the Adobe website at http://get.adobe.com/reader/; it is not available in any other manner via download, including via email.

Customers receiving one of these emails should delete the email immediately without clicking on any of the links.

Security Bulletin – Adobe Shockwave Player

A Security Bulletin was posted today addressing critical security issues in Adobe Shockwave Player.  Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612, using the instructions provided in the Security Bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player

Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.
To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe Flash Player” from the menu. If you use multiple browsers, checking on any one browser will verify the update for all browsers on Macintosh systems (on Windows, perform the check for each browser you have installed on your system).
This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe Security Update Email Spam/Phishing Scam

It has come to Adobe’s attention that email messages purporting to be a security directive to Adobe customers have been sent by entities claiming to be Adobe employees. Many of these emails are signed as “James Kitchin” from “Adobe Risk Management” (or similar). In these messages, recipients are directed to download instructions as well as a security update to address “CVE-2010-0193 Denial of Service Vulnerability” (or similar). Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf. Customers should not click on any links, or open or download any attachments contained in any of these emails.
Customers who subscribe to the Adobe Security Notification Service will receive email notifications that ONLY point to security advisories or security bulletins on the adobe.com domain (i.e. http://www.adobe.com/go/apsb10-09), and that NEVER link directly to an executable for a product security update or contain attachments that must be opened. Adobe product updates are only available (1) via the product’s automatic update feature or (2) from the Adobe website at http://www.adobe.com/downloads/updates/.
This posting is provided “AS IS” with no warranties and confers no rights.

Apache HTTP Server Vulnerability Advisory for Adobe Flash Media Server Customers

An important vulnerability was recently identified in Apache HTTP Server version 2.2.14 and earlier (CVE-2010-0425: mod_isapi module unload flaw). The flaw in mod_isapi could result in an attempt to unload the ISAPI dll when encountering various error states. This could leave the callbacks in an undefined state and result in a segfault. On Windows platforms using mod_isapi, a remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one process, this would result in a denial of service, and potentially allow arbitrary code execution. This vulnerability has been fixed in Apache httpd 2.2.15.
Adobe is issuing this blog post as an advisory for customers of Adobe Flash Media Server 3.5.x (Windows only), which ships with version 2.2.9 of Apache HTTP Server:
While Adobe Flash Media Server is not vulnerable to this exploit without specific configuration to support ISAPI-based actions, Adobe recommends customers disable the ISAPI module as a precaution.
To prevent the ISAPI module from loading, change the following line in the Flash Media Server Apache configuration at FMS_INSTALL_DIR/Apache2.2/conf/httpd.conf from

LoadModule isapi_module modules/mod_isapi.so
to
#LoadModule isapi_module modules/mod_isapi.so

If the ISAPI module is needed for your particular Apache distribution, Adobe recommends you update your Apache installation to version 2.2.15, which includes the patch to fix this vulnerability.
For documentation on the configurations Flash Media Server uses to determine its Apache location, visit http://help.adobe.com/en_US/FlashMediaServer/3.5_AdminGuide/WSE2A5A7B9-E118-496f-92F9-E295038DB7DB.html.
This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Download Manager issue

Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager. We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible. We will provide updates on this issue via the Adobe PSIRT blog and the Security Advisory section of the Adobe web site.
This posting is provided “AS IS” with no warranties and confers no rights.

Microsoft Security Advisory (979267)

Microsoft Windows XP redistributes an earlier version of Adobe Flash Player (version 6) that is no longer supported. Adobe discontinued support for Adobe Flash Player 6 in 2006. As always, Adobe recommends that users follow security best practices by updating to the latest, most secure version of Adobe Flash Player (currently version 10.0.42.34), which is available for download from the Adobe Flash Player Download Center. (See also Microsoft Security Advisory 979267 on this topic.)
This posting is provided “AS IS” with no warranties and confers no rights.

New Adobe Reader and Acrobat Vulnerability

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.
This posting is provided “AS IS” with no warranties and confers no rights.