Adobe Product Security Incident Response Team (PSIRT)

We have just released a Security Bulletin and update for Presenter to resolve potential cross-site scripting issues in content generated by Presenter. In addition to updating Presenter installations, customers may need to update any content previously deployed on their websites. Presenter 7 customers can update any deployed instances of viewer.swf and loadflash.js with the new files installed with the update. Presenter 6 customers will need to be more careful, as the new viewer.swf file may be incompatible with Presenter 6 content – so content may need to be re-generated.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 01:23 PM | Permalink | Comments (0)

Our Security Bulletin release today is for RoboHelp Server (versions 6 and 7), along with an update to resolve a cross-site scripting issue. The issue does not affect the RoboHelp desktop versions, just the RoboHelp Server product. Please see the Bulletin for more information.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 01:30 PM | Permalink | Comments (0)

We’ve just released a Security Bulletin for Reader and Acrobat 8.1.2, along with an update to resolve a critical issue. This issue does not affect Reader 7.1.0 or Acrobat 7.1.0, or the upcoming Acrobat 9 and Reader 9 releases (expected to be available by July). All customers with Reader 8.1.2 and Acrobat 8.1.2 are strongly encouraged to update to Reader or Acrobat 8.1.2 Security Update 1. Acrobat 7 and Reader 7 users should update to Acrobat 7.1.0 or Reader 7.1.0 if they haven't already.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 05:01 PM | Permalink | Comments (0)

We’ve just released a Security Bulletin for Flex 3 along with an update to resolve a cross-site scripting issue. This bulletin affects History Management in Flex 3 SDK and Flex Builder 3. Please note that developers who use History Management will need to update their product installations as well as any already-deployed applications built with Flex 3. As noted in the bulletin, Flex 2 and Flex 2 content are not affected.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by Erick Lee at 01:23 PM | Permalink | Comments (0)

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.

There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.

We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.

We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by David Lenoe at 03:58 PM | Permalink | Comments (0)

On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted by Erick Lee at 05:35 PM | Permalink | Comments (1)

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:

- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.

- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.

- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log

- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0

- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.

And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.

This posting is provided “AS IS” with no warranties and confers no rights

Posted by David Lenoe at 03:04 PM | Permalink