Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website. No user action or Flash Player product update are required.
This posting is provided “AS IS” with no warranties and confers no rights.
A Flash Player update is scheduled for release tomorrow, September 21, 2011. This update will address critical security issues in the product as well as an important universal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.
We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.
This posting is provided “AS IS” with no warranties and confers no rights.
As discussed on the Security Matters blog, the Adobe Approved Trust List (AATL) has been updated to remove the certificate authority DigiNotar. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list. A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove DigiNotar using instructions provided in the September 9 blog post.
This posting is provided “AS IS” with no warranties and confers no rights.
An update on the removal of the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) following the recent DigiNotar breach has been posted on the Security Matters blog.
This posting is provided “AS IS” with no warranties and confers no rights.
We are in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) and will post an update on this action tomorrow.
In the meantime, users can manually remove these certificates from Adobe Reader and Acrobat* by following these steps:
(*Note that the AATL is only supported in Adobe Reader and Acrobat versions 9 and X.)
Adobe Reader Version 9
1) Open Adobe Reader.
2) Open the Document Menu and choose Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.
Adobe Acrobat Version 9
1) Open Adobe Acrobat.
2) Open the Advanced Menu and choose Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.
Adobe Reader and Acrobat X
1) Open Adobe Reader or Acrobat.
2) Open the Edit Menu->Protection->Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.
This posting is provided “AS IS” with no warranties and confers no rights.
With the availability of Adobe Acrobat X solutions this week, a reminder to be cautious when receiving email messages purporting to offer a download of a new version of Adobe Acrobat or Adobe Reader sent by entities claiming to be Adobe.
Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf.
The Adobe Reader, in particular, is free software available for download directly from the Adobe Reader download page on the Adobe website at http://get.adobe.com/reader/; it is not available in any other manner via download, including via email.
Customers receiving one of these potentially malicious emails should delete the email immediately without clicking on any of the links.
Adobe is aware of a potential issue in Adobe Reader posted publicly today on the Full Disclosure list. A proof-of-concept file demonstrating a Denial of Service was published. Arbitrary code execution has not been demonstrated, but may be possible. We are currently investigating this issue. In the meantime, users of Adobe Reader 9.2 or later and 8.1.7 or later can utilize the JavaScript Blacklist Framework to prevent the issue by following the instructions below. Note that Adobe Acrobat is not affected by this issue.
Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Windows
On Windows, the JavaScript Blacklist can be in two locations. Please review the following options and then create the registry key of your choice:
Enterprise list: This blacklist helps enterprises roll out policies that block exploitable API(s) from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registry location.
To create the registry key:
HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms\tBlackList
Adobe’s update/patch list: The Adobe blacklist is modified by Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch.
To create the registry key:
HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms\tBlackList
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe->To prevent this particular issue, add the following value to the registry key created in the previous step (case sensitive):
Doc.printSeps
->Exit and restart the application
Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Macintosh
/JavaScriptPerms [ /c << /BlackList [ /t (Doc.printSeps) ] >> ]
Adobe Reader 9.2 and later – UNIX
/Reader/GlobalPrefs/reader_prefs /JavaScriptPerms [/c << /BlackList [/t (Doc.printSeps) ] >> ]
For more details, see the following Knowledge Base articles:
http://kb2.adobe.com/cps/504/cpsid_50431.html
http://kb2.adobe.com/cps/532/cpsid_53237.html
We will continue to provide updates on this issue via the Adobe PSIRT blog and/or the Security Advisory section of the Adobe website as appropriate.
November 8, 2010 Update:
We plan to resolve this issue in the update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions scheduled for release during the week of November 15, 2010, mentioned in Security Advisory APSA10-05. We have assigned CVE-2010-4091 to this issue. As of today, Adobe is not aware of any exploits in the wild or public exploit code for this issue.
This posting is provided “AS IS” with no warranties and confers no rights.
A Security Advisory (APSA10-05) has been posted in regards to a new Flash Player, Adobe Reader and Acrobat issue (CVE-2010-3654). A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
Adobe Reader and Acrobat 8.x, and Adobe Reader for Android are confirmed not vulnerable. Mitigations for Adobe Reader and Acrobat 9.x are included in the Security Advisory.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player 10.x for Windows, Macintosh, Linux and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.
This posting is provided “AS IS” with no warranties and confers no rights.
A Security Advisory (APSA10-04) has been posted in regards to a new Adobe Shockwave Player issue (CVE-2010-3653). A critical vulnerability exists in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system. While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability against Adobe Shockwave Player to date.
We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.
This posting is provided “AS IS” with no warranties and confers no rights.
It has come to Adobe’s attention that email messages purporting to offer a download of a new version of Adobe Reader have been sent by entities claiming to be Adobe. Many of these emails are signed as “Adobe Acrobat Reader Support” (or similar), and in some instances require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf.
The Adobe Reader is free software available for download directly from the Adobe Reader download page on the Adobe website at http://get.adobe.com/reader/; it is not available in any other manner via download, including via email.
Customers receiving one of these emails should delete the email immediately without clicking on any of the links.
