Adobe Product Security Incident Response Team (PSIRT)

Information about and links to the Adobe Reader and Acrobat patches have been added to yesterday's Security Bulletin last mentioned in the Adobe PSIRT blog on July 30 ("Security Bulletin Posted for Adobe Flash Player", CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.

Note: As a result of this out-of-cycle Adobe Reader and Acrobat update, Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, Oct. 13.

This posting is provided "AS IS" with no warranties and confers no rights.

Posted by Wendy Poland at 10:45 AM | Permalink | Comments (0)

A Security Bulletin has been posted in regards to the Adobe Flash Player issues last mentioned in the Adobe PSIRT blogs on July 28 ("Impact of Microsoft ATL vulnerability on Adobe Products", CVE-2009-0901, CVE-2009-2495, CVE-2009-2493) and July 22 ("Update on Adobe Reader, Acrobat and Flash Player Issue", CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.

This posting is provided "AS IS" with no warranties and confers no rights.

Posted by Wendy Poland at 1:34 PM | Permalink | Comments (0)

We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2495, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.

PSIRT has determined that the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are NOT vulnerable to CVE-2009-0901, CVE-2009-2495, or CVE-2009-2493.

Note that only Internet Explorer plug-ins are vulnerable. Thus, people using Flash Player within the Firefox browser -- as well as all other Windows-based browsers (that aren't Internet Explorer) -- are not vulnerable. Additionally, Flash Player and Shockwave Player on Macintosh, Linux and Solaris operating systems are not vulnerable.

Per the Shockwave Player Security Bulletin, this vulnerability has been patched in the latest version of Shockwave Player, which is now available for download (http://get.adobe.com/shockwave). Per the Security Advisory for Flash Player, this vulnerability will be patched in the scheduled July 30, 2009 update of Flash Player.

Users should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player and Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Posted by Wendy Poland at 10:10 AM | Permalink | Comments (0)

A Security Advisory has been posted in regards to the Adobe Reader, Acrobat and Flash Player issue discussed in the Adobe PSIRT blog on July 21 ("Potential Adobe Reader, Acrobat, and Flash Player issue", CVE-2009-1862). A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.

We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Posted by Wendy Poland at 7:08 PM | Permalink | Comments (0)

A Security Bulletin has been posted with instructions to patch the Adobe ColdFusion vulnerability last mentioned in the Adobe PSIRT blog on July 3 (“Potential ColdFusion security issue”, CVE-2009-2265). Adobe is aware of reports that this issue is being exploited in the wild and is remotely exploitable.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by Wendy Poland at 11:53 AM | Permalink | Comments (0)

A Security Bulletin has been posted for Shockwave Player. Adobe is not currently aware of any exploits in the wild for this issue.

This posting is provided "AS IS" with no warranties and confers no rights.

Posted by Wendy Poland at 11:00 AM | Permalink | Comments (0)

We released security updates for Adobe Reader 9.1.2 for Unix and Adobe Reader 8.1.6 for Unix today. Our June 9 Security Bulletin APSB09-07 has been updated to reflect the availability of these updates. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by Wendy Poland at 1:49 PM | Permalink | Comments (0)

Today we posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts. Today’s updates also address externally reported issues, as detailed in our Security Bulletin. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by Wendy Poland at 2:09 PM | Permalink | Comments (0)

Today, we have posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This update resolves the vulnerabilities from Security Advisory APSA09-02. Adobe is not currently aware of any exploits in the wild for these issues.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by David Lenoe at 2:50 PM | Permalink | Comments (0)

We’ve just posted a Security Bulletin and update for Flash Media Server. The update addresses a potential privilege escalation issue in Flash Media Server.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 11:20 AM | Permalink | Comments (0)

Today, we have released the Adobe Reader 9.1 for Unix, and Adobe Reader 8.1.4 for Unix updates. These updates resolve the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. As mentioned previously, there are reports that this issue is being exploited.

In addition, the updates released today, as well as the most recent updates for Windows and Macintosh - Adobe Reader 9.1, 8.1.4, and 7.1.1, and Acrobat 9.1, 8.1.4, and 7.1.1 - address four additional, critical JBIG2 security issues. Adobe has worked with the security researchers who reported these additional issues and is communicating about them today, now that updates for all platforms are available. We appreciate the cooperation of these security researchers - Sean Larsson of iDefense Labs, Jonathan Brossard from iViZ Security Research Team, Will Dormann of CERT/CC, and Alin Rad Pop of Secunia Research. We are not aware of any exploits in the wild for any of the additional JBIG2 issues newly disclosed today in Security Bulletin APSB09-04.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 12:39 PM | Permalink | Comments (0)

Today, we have released the Acrobat 8.1.4 and 7.1.1, and Adobe Reader 8.1.4 and 7.1.1, updates for Windows and Macintosh. These updates resolve the vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. There are reports that this issue is being exploited.

In addition, the updates address other critical security issues. The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve a critical issue that has already been addressed in the Adobe Reader 8.1.3 and Acrobat 8.1.3 updates. The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve critical issues previously addressed in Adobe Reader 8.1.3 and 9.0, and Acrobat 8.1.3 and 9.0.

Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 11:10 AM | Permalink | Comments (0)

Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the ‘no-click’ variant of the vulnerability. We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1. The Adobe Reader 9.1 update is available here. Acrobat 9 users should refer to the Security Bulletin for download details. We expect updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, to be available by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25. In the meantime, for Adobe Reader 7 and 8 users who are unable to update to Adobe Reader 9.1, as well as Acrobat 7 and 8 users, more information on immediate protection for this issue from anti-virus and security vendors is available in the post directly below.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 11:19 AM | Permalink | Comments (0)

We have just published a Security Bulletin and corresponding updates for Flash Player, and a Security Bulletin and updates for RoboHelp. The RoboHelp Security Bulletin addresses two issues; one of them only affects RoboHelp Server installations.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 1:44 PM | Permalink | Comments (0)

We are aware of reports of a zero-day exploit in Adobe Reader and Acrobat and have posted the following Security Advisory. Adobe Reader 9 and Acrobat 9 are vulnerable to this issue, as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. We are in the process of fixing the issue, and we expect to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers.

Posted by David Lenoe at 9:18 PM | Permalink | Comments (0)

We’ve just posted a security bulletin about Flash Player for Linux here, Security Bulletin APSB08-24, along with a new version of the latest Linux Flash Player here, Flash Player for Linux v. 10.0.15.3 (and for Linux users who cannot update to Flash Player 10 for Linux, get this version: Flash Player for Linux 9.0.152.0). The issue described in this Security Bulletin does not affect the Macintosh or Windows versions of Flash Player. The AIR for Linux 1.5 version, released today, is not affected by this issue, but users with the AIR for Linux 1.1 Beta installed should be sure to install AIR for Linux 1.5.

Posted by David Lenoe at 1:18 PM | Permalink | Comments (0)

Today’s Flash Player Security Bulletin discloses several new potential vulnerabilities, but please note that there is no new corresponding Flash Player update since the previous Security Bulletin. Adobe waited until an update to Adobe AIR, which embeds Flash Player, was available before disclosing this particular set of issues because the vulnerabilities in today's Security Bulletin APSB08-22 have more potential impact for the AIR product than the previously disclosed Flash Player issues from Security Bulletins APSB08-18 and APSB08-20. If you haven’t already, please update to Flash Player 10.0.12.36 (or Flash Player 9.0.151.0).

There is also an AIR Security Bulletin today, which includes an update to resolve an AIR-specific security issue and the aforementioned Flash Player issues. We recommend everyone update to Adobe AIR 1.5.

Finally, we have published a new Security Advisory for Flash Media Server customers. Adobe recommends Flash Media Server customers enable SWF verification to avoid potential video stream capturing by third-party software.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by David Lenoe at 12:12 PM | Permalink | Comments (0)

Today we posted two Security Bulletins, APSB08-20 for Flash Player 9 and APSB08-21 for ColdFusion. With regards to the Flash Player bulletin, no action is required by customers who have already updated to Flash Player 10.0.12.36, the latest version that is now available here www.adobe.com/go/getflashplayer. The Flash Player 9.0.151.0 update we released today addresses issues previously reported in Security Bulletin APSB08-18 (posted on October 15), as well as other issues which we did not want to disclose until fixes were available in the Flash Player 9 update available today. If you can’t update to Flash Player 10, follow the instructions in APSB08-20 to update your version of Flash Player 9.

The ColdFusion hotfix included in Security Bulletin ASPB08-21 resolves a potential privilege escalation issue that is particularly applicable to ColdFusion servers in a shared hosting environment.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by David Lenoe at 5:07 PM | Permalink | Comments (0)

We have posted a Security Bulletin for Adobe Reader 8 and Acrobat 8, covering a number of issues. These issues do not apply to Adobe Reader 9 or Acrobat 9, so no action is required for customers who already have Adobe Reader 9 or Acrobat 9 installed.

Note: there are now reports that one of these issues, CVE-2008-2992, is being exploited in the wild. Again, we strongly urge everyone to follow the instructions in the Security Bulletin and update their software.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by David Lenoe at 10:21 AM | Permalink | Comments (0)

Today we released a Security Advisory for PageMaker 7. A corresponding update that resolves two of the three issues acknowledged in the Advisory has also been released. We are continuing to investigate a potential solution for the third issue. In the meantime, we’re advising customers to avoid opening PageMaker files from untrusted or unknown sources.

This posting is provided “AS IS” with no warranties and confers no rights.

Posted by David Lenoe at 10:13 AM | Permalink | Comments (0)

The big news today is that CS4 has launched, along with Flash Player 10. We have released a Security Bulletin to correspond with the Flash Player 10 release. Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue that has been making news recently, and also includes a mitigation for recent clipboard attacks as well as other security enhancements. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November. We’ve also posted a Security Advisory for Flash Professional CS3, informing customers of potential issues with malformed SWF files. Note that Flash CS4, and Flash Player, are not vulnerable to these issues.

We’d like to thank Robert Hansen and Jeremiah Grossman once again for their help, and extend special thanks to Liu Die Yu of TopsecTianRongXin for working with us on the clickjacking issue.

Posted by David Lenoe at 10:59 AM | Permalink | Comments (0)

We have just released a Security Bulletin and update for Presenter to resolve potential cross-site scripting issues in content generated by Presenter. In addition to updating Presenter installations, customers may need to update any content previously deployed on their websites. Presenter 7 customers can update any deployed instances of viewer.swf and loadflash.js with the new files installed with the update. Presenter 6 customers will need to be more careful, as the new viewer.swf file may be incompatible with Presenter 6 content – so content may need to be re-generated.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 1:23 PM | Permalink | Comments (0)

Our Security Bulletin release today is for RoboHelp Server (versions 6 and 7), along with an update to resolve a cross-site scripting issue. The issue does not affect the RoboHelp desktop versions, just the RoboHelp Server product. Please see the Bulletin for more information.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 1:30 PM | Permalink | Comments (0)

We’ve just released a Security Bulletin for Reader and Acrobat 8.1.2, along with an update to resolve a critical issue. This issue does not affect Reader 7.1.0 or Acrobat 7.1.0, or the upcoming Acrobat 9 and Reader 9 releases (expected to be available by July). All customers with Reader 8.1.2 and Acrobat 8.1.2 are strongly encouraged to update to Reader or Acrobat 8.1.2 Security Update 1. Acrobat 7 and Reader 7 users should update to Acrobat 7.1.0 or Reader 7.1.0 if they haven't already.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 5:01 PM | Permalink | Comments (0)

We’ve just released a Security Bulletin for Flex 3 along with an update to resolve a cross-site scripting issue. This bulletin affects History Management in Flex 3 SDK and Flex Builder 3. Please note that developers who use History Management will need to update their product installations as well as any already-deployed applications built with Flex 3. As noted in the bulletin, Flex 2 and Flex 2 content are not affected.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by at 1:23 PM | Permalink | Comments (0)

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.

There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.

We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.

We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by David Lenoe at 3:58 PM | Permalink | Comments (0)

On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by at 5:35 PM | Permalink | Comments (1)

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:

- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.

- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.

- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log

- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0

- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.

And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 3:04 PM | Permalink