Adobe Product Security Incident Response Team (PSIRT)

Security Advisory - Flash Media Server

2008-09-02T19:31:16Z

A new Security Advisory for Flash Media Server 3.0 has just been posted. This Advisory points customers to a recent tech note that describes how to protect Flash Media Server video content from stream capture software, or ‘rippers’.

Clipboard attack

2008-08-20T00:44:38Z

We are aware of recent press reports about a potential “Clipboard attack” issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletin - Presenter

2008-08-08T21:23:18Z

We have just released a Security Bulletin and update for Presenter to resolve potential cross-site scripting issues in content generated by Presenter. In addition to updating Presenter installations, customers may need to update any content previously deployed on their websites. Presenter 7 customers can update any deployed instances of viewer.swf and loadflash.js with the new files installed with the update. Presenter 6 customers will need to be more careful, as the new viewer.swf file may be incompatible with Presenter 6 content – so content may need to be re-generated.

This posting is provided “AS IS” with no warranties and confers no rights

Verifying Installers

2008-08-04T19:26:50Z

We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.

We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious.

Second, all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be ‘Adobe Systems, Incorporated’, and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting ‘Properties’, and going to the ‘Digital Signatures’ tab.

For Flash Player in particular, you can always go to this page to verify what version of Flash Player you have installed, and what the current version of Flash Player is for your Operating System. The current Flash Player version is 9.0.124.0.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletin - RoboHelp Server

2008-07-08T21:30:29Z

Our Security Bulletin release today is for RoboHelp Server (versions 6 and 7), along with an update to resolve a cross-site scripting issue. The issue does not affect the RoboHelp desktop versions, just the RoboHelp Server product. Please see the Bulletin for more information.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletin - Reader and Acrobat

2008-06-24T01:01:51Z

We’ve just released a Security Bulletin for Reader and Acrobat 8.1.2, along with an update to resolve a critical issue. This issue does not affect Reader 7.1.0 or Acrobat 7.1.0, or the upcoming Acrobat 9 and Reader 9 releases (expected to be available by July). All customers with Reader 8.1.2 and Acrobat 8.1.2 are strongly encouraged to update to Reader or Acrobat 8.1.2 Security Update 1. Acrobat 7 and Reader 7 users should update to Acrobat 7.1.0 or Reader 7.1.0 if they haven't already.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletin – June 2008

2008-06-17T21:23:46Z

We’ve just released a Security Bulletin for Flex 3 along with an update to resolve a cross-site scripting issue. This bulletin affects History Management in Flex 3 SDK and Flex Builder 3. Please note that developers who use History Management will need to update their product installations as well as any already-deployed applications built with Flex 3. As noted in the bulletin, Flex 2 and Flex 2 content are not affected.

This posting is provided “AS IS” with no warranties and confers no rights

More information on recent Flash Player exploit

2008-05-30T00:28:26Z

Here’s some more information about the recent reports of Flash Player exploits in the wild that may help answer some of the questions we’ve been seeing:

- This is not a zero-day exploit. Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0.

- Although the original vulnerability, disclosed last month in Security Bulletin APSB08-11, affects all platforms (Mac, Windows, and Linux), all of the exploits we’ve seen so far target Windows users.

- The ‘campaign’ included SQL injection attacks and apparently took advantage of various other (non-Flash Player) vulnerabilities to redirect users from legitimate sites to malicious domains serving the exploit SWFs.

- Symantec and other major antivirus vendors have added detections for the exploits seen so far.

- The recent Flash Player 10 beta is also not vulnerable to this exploit.

Finally, at the risk of sounding repetitive, in order to make sure users are not vulnerable to these exploits, we strongly encourage users to download and install the latest Flash Player update, 9.0.124.0. No uninstall is necessary, just install the latest Flash Player. Customers using multiple browsers should perform the update for each browser installed on their system.

Potential Flash Player issue - update

2008-05-28T19:09:20Z

Here’s an update on our progress investigating the recent reports of a potential Flash Player exploit in the wild. The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

UPDATE: We've just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary.

Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue.

This posting is provided “AS IS” with no warranties and confers no rights

Potential Flash Player issue

2008-05-27T19:05:28Z

Just a quick note to say we are aware of today’s report of a potential exploit involving Flash Player in the wild. We are working with Symantec to investigate the potential SWF vulnerability, and will have an update once we get more information.

UPDATE: This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins - May 2008

2008-05-07T01:59:43Z

We have just released an important update for Acrobat 7 and Adobe Reader 7 users, which resolves the issues previously mentioned in Security Advisory APSA08-01. If you have already updated to Reader 8.1.2 or Acrobat 8.1.2, you are all set. But, if you are using Acrobat 7, or if you are using Adobe Reader 7 and can’t update to Reader 8, please review Security Bulletin APSB08-13 and update your installations accordingly. As previously mentioned, we have heard reports of one of the issues being exploited in the wild, so please update if you haven’t already.

Also note that we released Security Advisory APSA08-05 for After Effects CS3 today, in response to a public posting of a BMP-handling vulnerability in After Effects. As mentioned in the advisory, it’s not a common workflow to use BMP files within After Effects, and most files used in the After Effects workflow come from trusted sources. That said, as always, we advise customers to exercise caution when receiving and opening files from untrusted sources.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins - April 2008

2008-04-08T23:58:19Z

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.

There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.

We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.

We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

CanSecWest 2008 Pwn2Own Contest

2008-04-03T01:35:26Z

On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Preparing for April Flash Player 9 Security Update

2008-03-12T00:32:22Z

Quick note to let you know that we are giving advanced notice to our customers about some security enhancements in a security update to Flash Player scheduled for April 2008. This update may impact existing SWF content for some customers. The issues addressed are all previously disclosed – specifically, we’ll be providing further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007)

Note that Flash Player end users won’t be affected – all they need to do is update their Flash Player once the update goes live. But, if customers have SWF content on their websites, we’re advising them to review the upcoming Flash Player updates as described in this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing any necessary changes before the update is released.

Customers for whom the following situations apply should read the article in detail:
- Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
- Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
- Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
- Use of “javascript:” through network APIs to communicate outside a SWF

There’s lots of info in the article, which also links to technotes with more details about how to make the changes.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins - March 11, 2008

2008-03-11T23:04:58Z

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:

- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.

- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.

- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log

- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0

- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.

And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.

This posting is provided “AS IS” with no warranties and confers no rights