Posts tagged "ColdFusion"

Security Bulletins – Flash Player 9 and ColdFusion

Posted on November 5, 2008 by David Lenoe | Comments (0)

Today we posted two Security Bulletins, APSB08-20 for Flash Player 9 and APSB08-21 for ColdFusion. With regards to the Flash Player bulletin, no action is required by customers who have already updated to Flash Player 10.0.12.36, the latest version that is now available here www.adobe.com/go/getflashplayer. The Flash Player 9.0.151.0 update we released today addresses issues previously reported in Security Bulletin APSB08-18 (posted on October 15), as well as other issues which we did not want to disclose until fixes were available in the Flash Player 9 update available today. If you can’t update to Flash Player 10, follow the instructions in APSB08-20 to update your version of Flash Player 9.
The ColdFusion hotfix included in Security Bulletin ASPB08-21 resolves a potential privilege escalation issue that is particularly applicable to ColdFusion servers in a shared hosting environment.
This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletins – May 2008

Posted on May 6, 2008 by David Lenoe | Comments (0)

We have just released an important update for Acrobat 7 and Adobe Reader 7 users, which resolves the issues previously mentioned in Security Advisory APSA08-01. If you have already updated to Reader 8.1.2 or Acrobat 8.1.2, you are all set. But, if you are using Acrobat 7, or if you are using Adobe Reader 7 and can’t update to Reader 8, please review Security Bulletin APSB08-13 and update your installations accordingly. As previously mentioned, we have heard reports of one of the issues being exploited in the wild, so please update if you haven’t already.
Also note that we released Security Advisory APSA08-05 for After Effects CS3 today, in response to a public posting of a BMP-handling vulnerability in After Effects. As mentioned in the advisory, it’s not a common workflow to use BMP files within After Effects, and most files used in the After Effects workflow come from trusted sources. That said, as always, we advise customers to exercise caution when receiving and opening files from untrusted sources.

This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins – April 2008

Posted on April 8, 2008 by David Lenoe | Comments (0)

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.
There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.
We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.
We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.
*This posting is provided “AS IS” with no warranties, and confers no rights.*

Security Bulletins – March 11, 2008

Posted on March 11, 2008 by David Lenoe | Comments (0)

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:
- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.
- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.
- APSB08-08 – Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log
- APSB08-09 – Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0
- APSB08-10 – Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.
And this Security Advisory:
- APSA08-01 – Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.
This posting is provided “AS IS” with no warranties and confers no rights