Adobe Product Security Incident Response Team (PSIRT)

Potential ColdFusion security issue

Fri, 03 Jul 2009 20:02:12 -0800

Adobe is aware of reports of ColdFusion websites being compromised through a vulnerability in the FCKEditor rich text editor, which is installed with ColdFusion 8. Adobe is working on an update to ColdFusion to resolve the issue, which we expect to make available next week. In the meantime, ColdFusion 8 administrators are advised to mitigate this issue by following the steps below:

1. Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
2. Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
3. Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.

This posting is provided "AS IS" with no warranties and confers no rights.

Security Bulletin - Adobe Shockwave Player

Tue, 23 Jun 2009 11:00:00 -0800

A Security Bulletin has been posted for Shockwave Player. Adobe is not currently aware of any exploits in the wild for this issue.

This posting is provided "AS IS" with no warranties and confers no rights.

Adobe Reader for Unix updates available

Tue, 16 Jun 2009 13:49:00 -0800

We released security updates for Adobe Reader 9.1.2 for Unix and Adobe Reader 8.1.6 for Unix today. Our June 9 Security Bulletin APSB09-07 has been updated to reflect the availability of these updates. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletin - Adobe Reader and Acrobat

Tue, 09 Jun 2009 14:09:00 -0800

Today we posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts. Today’s updates also address externally reported issues, as detailed in our Security Bulletin. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Security Bulletin Advance Notification

Thu, 04 Jun 2009 14:58:29 -0800

Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts.

Adobe considers this a critical update and recommends users be prepared to apply the update for their product installations. Details of where to download updates will be posted to Adobe’s Security Bulletins and Advisories support page on June 9.

Details regarding security updates for the UNIX platform will be communicated when available.

This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletin - Adobe Reader and Acrobat

Tue, 12 May 2009 14:50:59 -0800

Today, we have posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This update resolves the vulnerabilities from Security Advisory APSA09-02. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Reader Issue Update

Fri, 01 May 2009 13:56:59 -0800

A Security Advisory has been posted in regards to the Adobe Reader vulnerability last mentioned in the Adobe PSIRT blog on April 28 (“Update to Adobe Reader Issue”, CVE-2009-1492). We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009. Adobe plans to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X.

Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix (first mentioned in our April 28 post). This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate.

In the meantime, to mitigate both issues disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
Adobe is in contact with Antivirus and Security vendors regarding both of these issues in order to ensure the security of our mutual customers.

We will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletin - Flash Media Server

Thu, 30 Apr 2009 11:20:18 -0800

We’ve just posted a Security Bulletin and update for Flash Media Server. The update addresses a potential privilege escalation issue in Flash Media Server.

This posting is provided “AS IS” with no warranties and confers no rights

Update on Adobe Reader Issue

Tue, 28 Apr 2009 13:35:10 -0800

This is an update on the Adobe Reader vulnerability first discussed on the Adobe PSIRT blog on April 27 (“Potential Adobe Reader Issue”). All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for the following supported versions and platforms to resolve this issue: Windows (9.x, 8.x, 7.x), Macintosh (9.x, 8.x) and Unix (9.x, 8.x). We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

In addition, Adobe is in contact with Antivirus and Security vendors on this issue in order to ensure the security of our mutual customers.

Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740.

We will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.

Potential Adobe Reader Issue

Mon, 27 Apr 2009 18:20:50 -0800

Adobe is aware of reports of a potential vulnerability in Adobe Reader 9.1 and 8.1.4, as described in SecurityFocus BID 34736. We are currently investigating, and will have an update once we get more information.

This posting is provided “AS IS” with no warranties and confers no rights

Adobe Reader for Unix updates available

Tue, 24 Mar 2009 12:39:24 -0800

Today, we have released the Adobe Reader 9.1 for Unix, and Adobe Reader 8.1.4 for Unix updates. These updates resolve the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. As mentioned previously, there are reports that this issue is being exploited.

In addition, the updates released today, as well as the most recent updates for Windows and Macintosh - Adobe Reader 9.1, 8.1.4, and 7.1.1, and Acrobat 9.1, 8.1.4, and 7.1.1 - address four additional, critical JBIG2 security issues. Adobe has worked with the security researchers who reported these additional issues and is communicating about them today, now that updates for all platforms are available. We appreciate the cooperation of these security researchers - Sean Larsson of iDefense Labs, Jonathan Brossard from iViZ Security Research Team, Will Dormann of CERT/CC, and Alin Rad Pop of Secunia Research. We are not aware of any exploits in the wild for any of the additional JBIG2 issues newly disclosed today in Security Bulletin APSB09-04.

This posting is provided “AS IS” with no warranties and confers no rights

Adobe Reader and Acrobat updates for Windows and Macintosh available

Wed, 18 Mar 2009 11:10:16 -0800

Today, we have released the Acrobat 8.1.4 and 7.1.1, and Adobe Reader 8.1.4 and 7.1.1, updates for Windows and Macintosh. These updates resolve the vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. There are reports that this issue is being exploited.

In addition, the updates address other critical security issues. The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve a critical issue that has already been addressed in the Adobe Reader 8.1.3 and Acrobat 8.1.3 updates. The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve critical issues previously addressed in Adobe Reader 8.1.3 and 9.0, and Acrobat 8.1.3 and 9.0.

Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.

This posting is provided “AS IS” with no warranties and confers no rights

Adobe Reader and Acrobat 9.1 update available

Tue, 10 Mar 2009 11:19:57 -0800

Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the ‘no-click’ variant of the vulnerability. We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1. The Adobe Reader 9.1 update is available here. Acrobat 9 users should refer to the Security Bulletin for download details. We expect updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, to be available by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25. In the meantime, for Adobe Reader 7 and 8 users who are unable to update to Adobe Reader 9.1, as well as Acrobat 7 and 8 users, more information on immediate protection for this issue from anti-virus and security vendors is available in the post directly below.

This posting is provided “AS IS” with no warranties and confers no rights

Adobe Reader and Acrobat Issue update

Tue, 24 Feb 2009 17:46:26 -0800

This is an update on the Adobe Reader and Acrobat issue (CVE-2009-0658) discussed in Security Advisory APSA09-01. As mentioned previously, Adobe currently plans to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th. In addition, Adobe is also planning to make updates available for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18th.

We have seen reports that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk. Keeping this in mind, should users choose to disable JavaScript, it can be accomplished following the instructions below:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

In addition, Adobe continues its contact with Antivirus and Security vendors on this issue in order to ensure the security of our mutual customers. We are now able to report that the following Antivirus and Security vendors and related products provide protections and information regarding this vulnerability:

Bitdefender

BitDefender has provided info that their customers using the following products are protected from attacks against this exploit:

• BitDefender Antivirus 2009: http://www.bitdefender.com/PRODUCT-2216-en--BitDefender-Antivirus-2009.html
• BitDefender Internet Security 2009: http://www.bitdefender.com/PRODUCT-2217-en--BitDefender-Internet-Security-2009.html
• BitDefender Total Security 2009: http://www.bitdefender.com/PRODUCT-2214-en--BitDefender-Total-Security-2009.html

Checkpoint:
Check Point customers using Check Point Security Gateway products are protected from attacks exploiting this vulnerability, provided that the appropriate protection is activated. For more details and precise list of products, see http://www.checkpoint.com/defense/advisories/public/2009/sbp-24-Feb.html

F-Secure
F-Secure Anti-Virus 2009:
http://www.f-secure.com/home_user/products_a-z/fsav2009.html
F-Secure Internet Security 2009:
http://www.f-secure.com/home_user/products_a-z/fsis2009.html
F-Secure Client Security:
http://www.f-secure.com/small_businesses/products/fscs.html
F-Secure Online Scanner (free to use):
http://support.f-secure.com/enu/home/ols.shtml
F-Secure Anti-Virus for Windows Servers:
http://www.f-secure.com/small_businesses/products/fsavsrv.html
F-Secure Internet Gatekeeper (Windows and Linux)
http://www.f-secure.com/small_businesses/products/fsigk.html
F-Secure Anti-Virus for MS Exchange:
http://www.f-secure.com/small_businesses/products/fsavmse.html
F-Secure Secure Messaging Gateway:
http://www.f-secure.com/small_businesses/products/fsmsgx.html

McAfee:
Enterprise: http://www.mcafee.com/us/enterprise/products/system_security/servers/virusscan_enterprise.html
Consumer: http://us.mcafee.com/
Desktop: http://www.mcafee.com/us/enterprise/products/system_security/clients/host_intrusion_prevention_desktop_server.html
Server: http://www.mcafee.com/us/enterprise/products/system_security/servers/host_intrusion_prevention_server.html
Intrushield - Network IPS: http://www.mcafee.com/us/enterprise/products/network_intrusion_prevention/network_security_platform.html

Microsoft:
Microsoft Corporation products protecting against Exploit:Win32/Pidief and variants:
Microsoft Forefront Client Security
Microsoft Windows Live OneCare
Microsoft Windows Live OneCare safety scanner

Sophos
Here is the list of Sophos products that protect in one way or another against exploits attempting to exploit the vulnerability:

Sophos Endpoint Security and Control - http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/ using HIPS buffer overflow protection and anti-malware protection engine.
Sophos Web Security Appliance - http://www.sophos.com/products/enterprise/web/security-and-control/, using anti-malware protection engine and URL filtering.
Sophos PureMessage (all platforms) - http://www.sophos.com/products/enterprise/email/security-and-control/, using anti-malware and anti-spam protection engines.

Sourcefire 3D System
http://www.sourcefire.com/products/snort/rules/advisories/sa022009.html

OpenSource Snort
http://www.snort.org/vrt/advisories/vrt-rules-2009-02-20.html
http://www.snort.org/vrt/advisories/vrt-rules-2009-02-24.html

ClamAV
http://www.clamav.net

Trend Micro:
Product link: http://us.trendmicro.com/us/products/enterprise/officescan-client-server-edition/index.html
Overview: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPIDIEF%2EIN

We will continue to provide updates on this issue via Adobe’s Security Advisory and the PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins – Flash Player and RoboHelp

Tue, 24 Feb 2009 13:44:32 -0800

We have just published a Security Bulletin and corresponding updates for Flash Player, and a Security Bulletin and updates for RoboHelp. The RoboHelp Security Bulletin addresses two issues; one of them only affects RoboHelp Server installations.

This posting is provided “AS IS” with no warranties and confers no rights