Posts in Category "Uncategorized"

Security Advisory for Adobe Shockwave Player (APSA10-04)

Posted on October 21, 2010 by David Lenoe | Comments (0)

A Security Advisory (APSA10-04) has been posted in regards to a new Adobe Shockwave Player issue (CVE-2010-3653). A critical vulnerability exists in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system. While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability against Adobe Shockwave Player to date.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe Reader Upgrade Email Spam/Phishing Scam

Posted on September 13, 2010 by Wiebke Lips | Comments (0)

It has come to Adobe’s attention that email messages purporting to offer a download of a new version of Adobe Reader have been sent by entities claiming to be Adobe. Many of these emails are signed as “Adobe Acrobat Reader Support” (or similar), and in some instances require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf.

The Adobe Reader is free software available for download directly from the Adobe Reader download page on the Adobe website at http://get.adobe.com/reader/; it is not available in any other manner via download, including via email.

Customers receiving one of these emails should delete the email immediately without clicking on any of the links.

Security Bulletin – Adobe Shockwave Player

Posted on August 24, 2010 by Wendy Poland | Comments (0)

A Security Bulletin was posted today addressing critical security issues in Adobe Shockwave Player.  Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612, using the instructions provided in the Security Bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.

Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player

Posted on June 15, 2010 by Wendy Poland | Comments (0)

Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.
To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe Flash Player” from the menu. If you use multiple browsers, checking on any one browser will verify the update for all browsers on Macintosh systems (on Windows, perform the check for each browser you have installed on your system).
This posting is provided “AS IS” with no warranties and confers no rights.

Alert: Adobe Security Update Email Spam/Phishing Scam

Posted on May 5, 2010 by Wendy Poland | Comments (0)

It has come to Adobe’s attention that email messages purporting to be a security directive to Adobe customers have been sent by entities claiming to be Adobe employees. Many of these emails are signed as “James Kitchin” from “Adobe Risk Management” (or similar). In these messages, recipients are directed to download instructions as well as a security update to address “CVE-2010-0193 Denial of Service Vulnerability” (or similar). Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf. Customers should not click on any links, or open or download any attachments contained in any of these emails.
Customers who subscribe to the Adobe Security Notification Service will receive email notifications that ONLY point to security advisories or security bulletins on the adobe.com domain (i.e. http://www.adobe.com/go/apsb10-09), and that NEVER link directly to an executable for a product security update or contain attachments that must be opened. Adobe product updates are only available (1) via the product’s automatic update feature or (2) from the Adobe website at http://www.adobe.com/downloads/updates/.
This posting is provided “AS IS” with no warranties and confers no rights.

Apache HTTP Server Vulnerability Advisory for Adobe Flash Media Server Customers

Posted on March 15, 2010 by Wendy Poland | Comments (0)

An important vulnerability was recently identified in Apache HTTP Server version 2.2.14 and earlier (CVE-2010-0425: mod_isapi module unload flaw). The flaw in mod_isapi could result in an attempt to unload the ISAPI dll when encountering various error states. This could leave the callbacks in an undefined state and result in a segfault. On Windows platforms using mod_isapi, a remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one process, this would result in a denial of service, and potentially allow arbitrary code execution. This vulnerability has been fixed in Apache httpd 2.2.15.
Adobe is issuing this blog post as an advisory for customers of Adobe Flash Media Server 3.5.x (Windows only), which ships with version 2.2.9 of Apache HTTP Server:
While Adobe Flash Media Server is not vulnerable to this exploit without specific configuration to support ISAPI-based actions, Adobe recommends customers disable the ISAPI module as a precaution.
To prevent the ISAPI module from loading, change the following line in the Flash Media Server Apache configuration at FMS_INSTALL_DIR/Apache2.2/conf/httpd.conf from

LoadModule isapi_module modules/mod_isapi.so
to
#LoadModule isapi_module modules/mod_isapi.so

If the ISAPI module is needed for your particular Apache distribution, Adobe recommends you update your Apache installation to version 2.2.15, which includes the patch to fix this vulnerability.
For documentation on the configurations Flash Media Server uses to determine its Apache location, visit http://help.adobe.com/en_US/FlashMediaServer/3.5_AdminGuide/WSE2A5A7B9-E118-496f-92F9-E295038DB7DB.html.
This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Download Manager issue

Posted on February 18, 2010 by David Lenoe | Comments (0)

Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager. We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible. We will provide updates on this issue via the Adobe PSIRT blog and the Security Advisory section of the Adobe web site.
This posting is provided “AS IS” with no warranties and confers no rights.

Microsoft Security Advisory (979267)

Posted on January 12, 2010 by David Lenoe | Comments (0)

Microsoft Windows XP redistributes an earlier version of Adobe Flash Player (version 6) that is no longer supported. Adobe discontinued support for Adobe Flash Player 6 in 2006. As always, Adobe recommends that users follow security best practices by updating to the latest, most secure version of Adobe Flash Player (currently version 10.0.42.34), which is available for download from the Adobe Flash Player Download Center. (See also Microsoft Security Advisory 979267 on this topic.)
This posting is provided “AS IS” with no warranties and confers no rights.

New Adobe Reader and Acrobat Vulnerability

Posted on December 14, 2009 by David Lenoe | Comments (0)

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.
This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Illustrator issue update

Posted on December 4, 2009 by David Lenoe | Comments (0)

Adobe has confirmed the vulnerability in Adobe Illustrator reported recently (CVE-2009-4195). This vulnerability affects Adobe Illustrator CS4 (14.0.0) and Adobe Illustrator CS3 (13.0.3 and earlier) on the Windows and Macintosh platforms. We expect to publish a Security Advisory on Monday, December 7 with further information, including a schedule for an update to resolve the issue. As previously reported, a successful exploit of the vulnerability would require a local user to take the action of opening a malicious .eps file in Illustrator. Adobe recommends that customers avoid opening .eps files from unknown sources in Illustrator until a patch is available.
This posting is provided “AS IS” with no warranties and confers no rights.