Security Bulletin - Adobe Shockwave Player
A Security Bulletin has been posted for Shockwave Player. Adobe is not currently aware of any exploits in the wild for this issue.
This posting is provided "AS IS" with no warranties and confers no rights.
A Security Bulletin has been posted for Shockwave Player. Adobe is not currently aware of any exploits in the wild for this issue.
This posting is provided "AS IS" with no warranties and confers no rights.
We released security updates for Adobe Reader 9.1.2 for Unix and Adobe Reader 8.1.6 for Unix today. Our June 9 Security Bulletin APSB09-07 has been updated to reflect the availability of these updates. Adobe is not currently aware of any exploits in the wild for these issues.
This posting is provided “AS IS” with no warranties and confers no rights.
Today we posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts. Today’s updates also address externally reported issues, as detailed in our Security Bulletin. Adobe is not currently aware of any exploits in the wild for these issues.
This posting is provided “AS IS” with no warranties and confers no rights.
Today, we have posted a Security Bulletin and provided Adobe Reader and Acrobat patches to our Product Update area. This update resolves the vulnerabilities from Security Advisory APSA09-02. Adobe is not currently aware of any exploits in the wild for these issues.
This posting is provided “AS IS” with no warranties and confers no rights.
We’ve just posted a Security Bulletin and update for Flash Media Server. The update addresses a potential privilege escalation issue in Flash Media Server.
This posting is provided “AS IS” with no warranties and confers no rights
Today, we have released the Adobe Reader 9.1 for Unix, and Adobe Reader 8.1.4 for Unix updates. These updates resolve the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. As mentioned previously, there are reports that this issue is being exploited.
In addition, the updates released today, as well as the most recent updates for Windows and Macintosh - Adobe Reader 9.1, 8.1.4, and 7.1.1, and Acrobat 9.1, 8.1.4, and 7.1.1 - address four additional, critical JBIG2 security issues. Adobe has worked with the security researchers who reported these additional issues and is communicating about them today, now that updates for all platforms are available. We appreciate the cooperation of these security researchers - Sean Larsson of iDefense Labs, Jonathan Brossard from iViZ Security Research Team, Will Dormann of CERT/CC, and Alin Rad Pop of Secunia Research. We are not aware of any exploits in the wild for any of the additional JBIG2 issues newly disclosed today in Security Bulletin APSB09-04.
This posting is provided “AS IS” with no warranties and confers no rights
Today, we have released the Acrobat 8.1.4 and 7.1.1, and Adobe Reader 8.1.4 and 7.1.1, updates for Windows and Macintosh. These updates resolve the vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03. There are reports that this issue is being exploited.
In addition, the updates address other critical security issues. The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve a critical issue that has already been addressed in the Adobe Reader 8.1.3 and Acrobat 8.1.3 updates. The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve critical issues previously addressed in Adobe Reader 8.1.3 and 9.0, and Acrobat 8.1.3 and 9.0.
Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.
This posting is provided “AS IS” with no warranties and confers no rights
Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the ‘no-click’ variant of the vulnerability. We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1. The Adobe Reader 9.1 update is available here. Acrobat 9 users should refer to the Security Bulletin for download details. We expect updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, to be available by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25. In the meantime, for Adobe Reader 7 and 8 users who are unable to update to Adobe Reader 9.1, as well as Acrobat 7 and 8 users, more information on immediate protection for this issue from anti-virus and security vendors is available in the post directly below.
This posting is provided “AS IS” with no warranties and confers no rights
We have just published a Security Bulletin and corresponding updates for Flash Player, and a Security Bulletin and updates for RoboHelp. The RoboHelp Security Bulletin addresses two issues; one of them only affects RoboHelp Server installations.
This posting is provided “AS IS” with no warranties and confers no rights
We are aware of reports of a zero-day exploit in Adobe Reader and Acrobat and have posted the following Security Advisory. Adobe Reader 9 and Acrobat 9 are vulnerable to this issue, as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. We are in the process of fixing the issue, and we expect to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers.
We’ve just posted a security bulletin about Flash Player for Linux here, Security Bulletin APSB08-24, along with a new version of the latest Linux Flash Player here, Flash Player for Linux v. 10.0.15.3 (and for Linux users who cannot update to Flash Player 10 for Linux, get this version: Flash Player for Linux 9.0.152.0). The issue described in this Security Bulletin does not affect the Macintosh or Windows versions of Flash Player. The AIR for Linux 1.5 version, released today, is not affected by this issue, but users with the AIR for Linux 1.1 Beta installed should be sure to install AIR for Linux 1.5.
Today’s Flash Player Security Bulletin discloses several new potential vulnerabilities, but please note that there is no new corresponding Flash Player update since the previous Security Bulletin. Adobe waited until an update to Adobe AIR, which embeds Flash Player, was available before disclosing this particular set of issues because the vulnerabilities in today's Security Bulletin APSB08-22 have more potential impact for the AIR product than the previously disclosed Flash Player issues from Security Bulletins APSB08-18 and APSB08-20. If you haven’t already, please update to Flash Player 10.0.12.36 (or Flash Player 9.0.151.0).
There is also an AIR Security Bulletin today, which includes an update to resolve an AIR-specific security issue and the aforementioned Flash Player issues. We recommend everyone update to Adobe AIR 1.5.
Finally, we have published a new Security Advisory for Flash Media Server customers. Adobe recommends Flash Media Server customers enable SWF verification to avoid potential video stream capturing by third-party software.
This posting is provided “AS IS” with no warranties and confers no rights.
Today we posted two Security Bulletins, APSB08-20 for Flash Player 9 and APSB08-21 for ColdFusion. With regards to the Flash Player bulletin, no action is required by customers who have already updated to Flash Player 10.0.12.36, the latest version that is now available here www.adobe.com/go/getflashplayer. The Flash Player 9.0.151.0 update we released today addresses issues previously reported in Security Bulletin APSB08-18 (posted on October 15), as well as other issues which we did not want to disclose until fixes were available in the Flash Player 9 update available today. If you can’t update to Flash Player 10, follow the instructions in APSB08-20 to update your version of Flash Player 9.
The ColdFusion hotfix included in Security Bulletin ASPB08-21 resolves a potential privilege escalation issue that is particularly applicable to ColdFusion servers in a shared hosting environment.
This posting is provided “AS IS” with no warranties and confers no rights.
We have posted a Security Bulletin for Adobe Reader 8 and Acrobat 8, covering a number of issues. These issues do not apply to Adobe Reader 9 or Acrobat 9, so no action is required for customers who already have Adobe Reader 9 or Acrobat 9 installed.
Note: there are now reports that one of these issues, CVE-2008-2992, is being exploited in the wild. Again, we strongly urge everyone to follow the instructions in the Security Bulletin and update their software.
This posting is provided “AS IS” with no warranties and confers no rights.
Today we released a Security Advisory for PageMaker 7. A corresponding update that resolves two of the three issues acknowledged in the Advisory has also been released. We are continuing to investigate a potential solution for the third issue. In the meantime, we’re advising customers to avoid opening PageMaker files from untrusted or unknown sources.
This posting is provided “AS IS” with no warranties and confers no rights.
The big news today is that CS4 has launched, along with Flash Player 10. We have released a Security Bulletin to correspond with the Flash Player 10 release. Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue that has been making news recently, and also includes a mitigation for recent clipboard attacks as well as other security enhancements. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November. We’ve also posted a Security Advisory for Flash Professional CS3, informing customers of potential issues with malformed SWF files. Note that Flash CS4, and Flash Player, are not vulnerable to these issues.
We’d like to thank Robert Hansen and Jeremiah Grossman once again for their help, and extend special thanks to Liu Die Yu of TopsecTianRongXin for working with us on the clickjacking issue.
We have just released a Security Bulletin and update for Presenter to resolve potential cross-site scripting issues in content generated by Presenter. In addition to updating Presenter installations, customers may need to update any content previously deployed on their websites. Presenter 7 customers can update any deployed instances of viewer.swf and loadflash.js with the new files installed with the update. Presenter 6 customers will need to be more careful, as the new viewer.swf file may be incompatible with Presenter 6 content – so content may need to be re-generated.
This posting is provided “AS IS” with no warranties and confers no rights
Our Security Bulletin release today is for RoboHelp Server (versions 6 and 7), along with an update to resolve a cross-site scripting issue. The issue does not affect the RoboHelp desktop versions, just the RoboHelp Server product. Please see the Bulletin for more information.
This posting is provided “AS IS” with no warranties and confers no rights
We’ve just released a Security Bulletin for Reader and Acrobat 8.1.2, along with an update to resolve a critical issue. This issue does not affect Reader 7.1.0 or Acrobat 7.1.0, or the upcoming Acrobat 9 and Reader 9 releases (expected to be available by July). All customers with Reader 8.1.2 and Acrobat 8.1.2 are strongly encouraged to update to Reader or Acrobat 8.1.2 Security Update 1. Acrobat 7 and Reader 7 users should update to Acrobat 7.1.0 or Reader 7.1.0 if they haven't already.
This posting is provided “AS IS” with no warranties and confers no rights
We’ve just released a Security Bulletin for Flex 3 along with an update to resolve a cross-site scripting issue. This bulletin affects History Management in Flex 3 SDK and Flex Builder 3. Please note that developers who use History Management will need to update their product installations as well as any already-deployed applications built with Flex 3. As noted in the bulletin, Flex 2 and Flex 2 content are not affected.
This posting is provided “AS IS” with no warranties and confers no rights
We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.
There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.
We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.
We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.
*This posting is provided "AS IS" with no warranties, and confers no rights.*
On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.
What should I do as a customer?
We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.
*This posting is provided "AS IS" with no warranties, and confers no rights.*
It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:
- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.
- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.
- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log
- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0
- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.
And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.
This posting is provided “AS IS” with no warranties and confers no rights