Adobe Product Security Incident Response Team (PSIRT)

Security Bulletin - Adobe Photoshop Elements

2009-11-10T16:52:00Z

Today we posted a Security Bulletin to address a moderate security issue in Adobe Photoshop Elements.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin - Adobe Shockwave Player

2009-11-03T19:08:00Z

A Security Bulletin was posted today addressing critical security issues in Adobe Shockwave Player.

This posting is provided "AS IS" with no warranties and confers no rights.

Second quarterly security update released for Adobe Reader and Acrobat

2009-10-13T18:29:21Z

Today a Security Bulletin has been posted in regards to the second quarterly security update for Adobe Reader and Acrobat. The update addresses critical security issues in the products; Adobe recommends that users apply the update for their product installations. Please note that with support for Adobe Reader 7.X and Acrobat 7.X ending in December 2009, this is the last scheduled update planned for Adobe Reader 7.X and Acrobat 7.X.

The Adobe Reader and Acrobat 9.2 and 8.1.7 updates will include a new update and deployment tool, initially shipping in a passive, beta state, which will be functional for Acrobat and Adobe Reader customers in the near future, as well as two new changes in security user interface and control. More information on this is available here.

This posting is provided "AS IS" with no warranties and confers no rights.

Pre-Notification - Quarterly Security Update for Adobe Reader and Acrobat

2009-10-08T16:53:31Z

A Security Advisory has been posted in regards to the upcoming Adobe Reader and Acrobat updates scheduled for October 13, 2009. The updates address critical security issues in the products, including a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459), as described in a separate PSIRT blog post today. The updates will be made available for Windows, Macintosh and UNIX, and represent the second quarterly security update for Adobe Reader and Acrobat.

We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Adobe Reader and Acrobat issue

2009-10-08T16:50:06Z

Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows.

Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

We wish to thank Chia-Ching Fang and the Information and Communication Security Technology Center for their help with reporting and investigating this issue (CVE-2009-3459).

We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Potential Photoshop Elements 8.0 issue

2009-09-30T02:38:27Z

Adobe is aware of a report of improper service permissions potentially leading to a local privilege escalation issue in Photoshop Elements 8.0 (CVE-2009-3489). We are currently investigating this issue and will have an update once we have more information. For clarity, please note that "local privilege escalation" means that valid login credentials and/or physical access to a computer is required for service permissions to be altered. It would not be possible to exploit this issue from a remote source over the internet, for instance.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin Posted for RoboHelp Server 8

2009-09-18T15:04:00Z

A Security Bulletin has been posted in regards to the RoboHelp Server 8 issue last mentioned in the Adobe PSIRT blog on September 9 ("Update on RoboHelp Server 8 Issue", CVE-2009-3068). Adobe categorizes this as a critical issue and recommends affected users patch their installations.

This posting is provided "AS IS" with no warranties and confers no rights.

Update on RoboHelp Server 8 Issue

2009-09-09T15:18:00Z

A Security Advisory has been posted in regards to the RoboHelp Server 8 issue last mentioned in the Adobe PSIRT blog on September 3 ("Potential RoboHelp Server 8 Issue", CVE-2009-3068). A critical vulnerability exists in the current version of RoboHelp Server 8. This vulnerability could result in an unauthenticated user uploading and executing arbitrary code.

We are in the process of developing a fix for the issue, and expect to provide an update by September 18, 2009.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Potential RoboHelp Server 8 Issue

2009-09-04T01:33:25Z

Adobe is aware of reports of a remote pre-authentication exploit in RoboHelp Server 8. We are currently investigating this potential issue and will have an update once we get more information.

This posting is provided "AS IS" with no warranties and confers no rights.

Flash Player update and Snow Leopard

2009-09-02T22:57:00Z

The initial release of Mac OS X 10.6 (Snow Leopard) includes an earlier version of Adobe Flash Player than what is available from Adobe.com. We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18) -- which supports Snow Leopard and is available for download from http://www.adobe.com/go/getflashplayer.

This posting is provided "AS IS" with no warranties and confers no rights.

New Version of Download Manager for Adobe Reader Available

2009-08-27T17:37:00Z

A new version of the download manager for Adobe Reader is live. This new version resolves the Moderate local privilege escalation issue discussed in an Adobe PSIRT blog post on July 22.

No action is required for users downloading Adobe Reader from http://get.adobe.com/reader/. Users who previously downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ can verify they are not vulnerable to this download manager issue by checking the following:

Ensure that the C:\Program Files\NOS folder and its contents are not present on your system.

Click "Start" > "Run" and type "services.msc". Ensure that "getPlus(R) Helper" from the list of services.

If the NOS files are found, the download manager issue can be mitigated by:

Deleting the C:\Program Files\NOS folder and its contents
Click "Start" > "Run" and type "services.msc". Delete "getPlus(R) Helper" from the list of services

Note: As mentioned in a late July Adobe Security Bulletin and PSIRT blog post, we want to remind users Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, October 13.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin - Flex 3.3 SDK

2009-08-19T17:24:00Z

A Security Bulletin for Flex 3.3 SDK was posted today. Adobe is not currently aware of any exploits in the wild for the security vulnerability fixed in this release.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin - ColdFusion

2009-08-17T17:43:00Z

Today we posted a Security Bulletin for ColdFusion and JRun. Adobe is not currently aware of any exploits in the wild for the security vulnerabilities fixed in this release.

This posting is provided "AS IS" with no warranties and confers no rights.

Update to APSB09-10 Security Bulletin

2009-07-31T17:45:00Z

Information about and links to the Adobe Reader and Acrobat patches have been added to yesterday's Security Bulletin last mentioned in the Adobe PSIRT blog on July 30 ("Security Bulletin Posted for Adobe Flash Player", CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.

Note: As a result of this out-of-cycle Adobe Reader and Acrobat update, Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, Oct. 13.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin Posted for Adobe Flash Player

2009-07-30T20:34:00Z

A Security Bulletin has been posted in regards to the Adobe Flash Player issues last mentioned in the Adobe PSIRT blogs on July 28 ("Impact of Microsoft ATL vulnerability on Adobe Products", CVE-2009-0901, CVE-2009-2495, CVE-2009-2493) and July 22 ("Update on Adobe Reader, Acrobat and Flash Player Issue", CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.

This posting is provided "AS IS" with no warranties and confers no rights.